Mod Auth OpenIDC


  • Install mod_auth_openidc for Apache:
    Use apt install libapache2-mod-auth-openidc for a Debian system.

  • Load the module in Apache via httpd.conf:

    LoadModule auth_openidc_module modules/
    Use a2enmod mod_auth_openidc and restart Apache for Debian

  • Complete Apache’s httpd.conf file.
    The following example requires customization according to your context.

    ‹VirtualHost *:443›
        # Server setup
        ServerName myapplication.tld
        # … your particular directives …
        # OpenID Connect setup
        OIDCClientID trustelem.oidc.XXXXXXXXX
        OIDCClientSecret XXXXXXXX
        OIDCRedirectURI https://myapplication.tld/redirect_uri
        OIDCCryptoPassphrase XXXXXXXX
        OIDCScope “openid”
        ‹Location /sso-login›
            AuthType openid-connect
            Require valid-user
        # Specific session cookie durations (seconds)
        OIDCSessionInactivityTimeout 300
        OIDCSessionMaxDuration 36000
    The OIDCCryptoPassphrase parameter is used in particular for encrypting user session cookies.

  • For logging out users from inside the application, you have to associate a logout URL to an HTML element like a button or a link. This URL is defined by the redirect_uri with a logout= parameter and the post-logout URL in a URL-encoded format.
    For example, the logout URL could be: https://myapplication.tld/redirect_uri?logout=https%3A%2F%2Fmyapplication.tld

  • Setup Trustelem with the following parameters:
    - RedirectURI: this URL is defined in the web server configuration (see httpd.conf).
    With the previous example, the RedirectURI would be: https://myapplication.tld/redirect_uri
    - Login URL: the application’s URL starting the OIDC flow. It is used as a target for the application on the Trustelem user’s dashboard.
    With the previous example, the URL would be: https://myapplication.tld/sso-login
    - PostLogoutRedirectURI: the URL that indicates where to go after a logout. It is usually defined in the logout HTML element of your application.
    With the previous logout example, the PostLogout URL would be: https://myapplication.tld


  • The attributes sent by Trustelem are provided to the application under the designation $_SERVER[“OIDC_CLAIM_nom”], where the name is defined in the Trustelem-hosted script in the field called custom claims.
    For example, if you add the custom claim:

    claims[“attr1”] = user.firstname;
    You can find the user firstname into the variable $_SERVER[“OIDC_CLAIM_attr1”]

  • If the user authenticated with mod_auth_openidc doesn’t exist in the application, we recommend to create the user using the attributes sent by Trustelem.
    This auto-provisoning system enables the implementation of internal rights management based on attributes sent by Trustelem.
    This completes access control policies defined in Trustelem.