I have mod_auth_openidc working on centos7 but cannot find the documentation that references how to extract passed user information.
My logs show that the module is performing the following interrogations
oidc_authz_match_claim: evaluating key "nickname"
oidc_authz_match_claim: evaluating key "email"
oidc_authz_match_claim: evaluating key "user_id"
oidc_authz_match_claim: evaluating key "identities"
oidc_authz_match_claim: evaluating key "iat"
oidc_authz_match_claim: evaluating key "picture"
oidc_authz_match_claim: evaluating key "last_password_reset"
oidc_authz_match_claim: evaluating key "name"
oidc_authz_match_claim: evaluating key "created_at"
oidc_authz_match_claim: evaluating key "app_metadata"
oidc_authz_match_claim: evaluating key "email_verified"
oidc_authz_match_claim: evaluating key "clientID"
oidc_authz_match_claim: evaluating key "folders"
I have tried setting both of the following in httpd.conf
OIDCRemoteUserClaim email
OIDCOAuthRemoteUserClaim email
then using <?php echo $_SESSION['REMOTE_USER']; ?> but I am not getting any variables being returned.
thanks Art
In the default setup the email claim is available both as an environment variable:
echo $_SERVER['OIDC_CLAIM_email']
and as an HTTP header:
$hdrs = apache_request_headers();
echo $hdrs['OIDC_CLAIM_email'];
the REMOTE_USER variable is accessible through:
$_SERVER['REMOTE_USER'];
and will be set to a globally unique identifier by default but is configurable through the OIDCRemoteUserClaim directive as you showed. A few remarks about the setup:
You'll note that the HTTP headers are also available in the environment variables, with their variable names prefixed with HTTP_ and uppercased e.g.
$_SERVER['HTTP_OIDC_CLAIM_EMAIL'];
You can configure the behavior around passing claims in headers and/or environment variables through various configuration directives
The variables will of course only exist if the associated claim was present in the id_token or returned from the user info endpoint