Problems setting up for a SPA

[pascalbe-dev]

Hey,
I'm currently trying to use this module in combination with a single page application to connect to an OIDC server and I can't get it to work unfortunately.

Why I do this anyway?

Basically, we just want to connect directly from our spa to the OIDC server (no backend, just frontchannel communication). But since we have no control over the real OIDC server and we can not adjust the allowed origins, we get CORS errors. Still, we want to test against it, to make sure the results from the user-info Endpoint work with our app. Therefore, the OIDC team told us to use an OIDC proxy.

What's the problem?

• I added the module to a dockerized apache2 server.
• I set up ssl by generating a ssl certificate and adding it to the apache2 config.
• Finally I set the Header add Access-Control-Allow-Origin "*" in the apache conf, so that our spa is allowed to access the apache2 server.

Expectation:
I can connect with my spa to the apache2 oidc proxy which proxies all my requests to the real OIDC server.

Actual:
When calling the .well-known/openid-configuration Endpoint inside the SPA, I get a CORS error because the header is not returned.

Final note

There might be some super obvious issue. The problem is, I'm not really into apache2 and all this stuff.
Or is there maybe something wrong with my way of thinking how to use this module.
I'd be glad for any tips and tricks to get this to work.

[zandbelt]

When using this module in an OIDC proxy setup, the SPA is not supposed to handle OIDC anymore but merely rely on a session cookie and some info it can get from an endpoint provided by the module, see: https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications

Another source of confusion seems to be that you're using the same Apache server to proxy requests to the OIDC server, that is not necessary to achieve what you need.

[pascalbe-dev]

Ahh, thanks for the input.

Then I probably misunderstood how this module works. The SPA docs do help me to understand.

The thing is, I would like to test the app including all OIDC related code and just swap out the OIDC issuer. I thought I could do that with this module, so that it just proxies all requests to another real OIDC server.

Do you see any other way to achieve that?

[zandbelt]

proxying all requests can be done with basic Apache using mod_proxy, no need for mod_auth_openidc in that case

[pascalbe-dev]

Thanks. Will try that out :)