Just about 5 years ago I started to develop an OpenID Connect plugin for the Apache web server. Over the years it has become a pretty popular project and lots and lots of input from real world experience has come along to improve it. As with all software, there comes a time to revisit the initial idea, the design choices and the scope of the project and that is exactly what I have done over the last 6 months.
I found that a lot of existing code could be refactored into a generic OAuth/OIDC library for C and that that library could then conveniently be used to build C-based plugins for various web servers and reverse proxies, not just Apache. This is similar to the approach that mod_security version 3 took. Today marks the announcement of such libraries for OAuth 2.0 / OpenID Connect and the availability some of these plugins. Here’s what I came up with so far:
- liboauth2 – generic OAuth 2.0 and OpenID Connect library
- liboauth2_apache – liboauth2 bindings for Apache
- liboauth2_nginx – liboauth2 bindings for NGINX
And here is the first batch of plugins built on those libraries:
- mod_oauth2 – OAuth 2.0 Resource Server module for Apache
- ngx_oauth2_module – OAuth 2.0 Resource Server module for NGINX
- mod_sts – Security Token Exchange module for Apache
- ngx_sts_module – Security Token Exchange module for NGINX
Note that over the course of 2019 I will rewrite mod_auth_openidc into version 3 that leverages liboauth2 and at the same time develop a native plugin (called ngx_openidc_module) for NGINX.
Please reach out to me if you want to be an early adopter of the new stuff and are willing to provide feedback.