yes that is my understanding
On Sat, Jun 4, 2016 at 12:57 AM, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hello Niels,
I think you're right here - apachectl -L says:
OIDCCryptoPassphrase (mod_auth_openidc.c)
Passphrase used for AES crypto on cookies and state.
Allowed in *.conf only outside <Directory>, <Files>, <Location>, or
<If>
I did not read the docks properly. So this OIDCCryptoPassphrase is only
used by
Apache mod_oidc & mod_balancer & not by keycloak if I understand you
correctly.
So I could simply change:
OIDCCryptoPassphrase currently-not-supported-by-keycloak
to
OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
... to make it more clear that this secret should really be a secret and
is not used by Keycloak, right?
Cheers,
Thomas
2016-06-03 16:34 GMT+02:00 Niels Bertram <nielsbne(a)gmail.com>:
> Hi Thomas,
>
> just a comment on your example project, the Apache directive
> OIDCCryptoPassphrase is (AFAIK) used by the apache module to en/decrypt
> the state parameter that is sent with the redirect params to the OP. This
> is a mandatory settings and you will have to make sure its random and
> secured (otherwise someone can steal your users session). If you run the
> apache behind a load balancer, this value needs to be the same on all
> nodes, else the module will return invalid state errors.
>
> Cheers,
> Niels
>
> On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
> thomas.darimont(a)googlemail.com> wrote:
>
>> Hello group,
>>
>> Just wanted to let you know that I build a small example [0] that
>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>> with Docker + Apache + PHP.
>>
>> Works like a charm :)
>>
>> Cheers,
>> Thomas
>>
>> [0]
https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>> [1]
https://github.com/pingidentity/mod_auth_openidc
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>