Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

COmanage Registry mod_auth_openidc

Intended to build a COmanage Registry image using the mod_auth_openidc module for Apache HTTP Server as the authentication mechanism.

Build Arguments

Building the image requires the following build arguments:

--build-arg COMANAGE_REGISTRY_VERSION=<version number>
--build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=<base image version number>

Additionally the following build argument may be specified:

--build-arg MOD_AUTH_OPENIDC_SRC_URL=<URL for mod_auth_openidc source tarball>

Build Requirements

This image uses a multi-stage build. It requires that the COmanage Registry base image be built first.

Building

docker build \
  --build-arg COMANAGE_REGISTRY_VERSION=<COmanage Registry version number> \
  --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=<base image version number> \
  -t comanage-registry:<tag> .

Building Example

export COMANAGE_REGISTRY_VERSION=4.0.2
export COMANAGE_REGISTRY_BASE_IMAGE_VERSION=1
export COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION=1
TAG="${COMANAGE_REGISTRY_VERSION}-mod-auth-openidc-${COMANAGE_REGISTRY_MOD_AUTH_OPENIDC_IMAGE_VERSION}"

docker build \
  --build-arg COMANAGE_REGISTRY_VERSION=${COMANAGE_REGISTRY_VERSION} \
  --build-arg COMANAGE_REGISTRY_BASE_IMAGE_VERSION=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} \
  -t comanage-registry:$TAG .

Volumes and Data Persistence

See COmanage Registry Volumes and Data Persistence.

Environment Variables

See the list of environment variables common to all images including this image.

Authentication

This image supports using the mod_auth_openidc module for Apache HTTP Server as the authentication mechanism. Deployers should bind mount or COPY in the Apache HTTP Server configuration file /etc/apache2/conf-enabled/mod-auth-openidc.conf that contains the necessary OIDC client, secret, redirect URI, and other mod_auth_openidc integration details.

An example mod-auth-openidc.conf configuration is

OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCRemoteUserClaim sub

OIDCClientID cilogon:/client_id/3815e327237181f2ca55e39c305a5706
OIDCClientSecret w5TmBFgrLEZVl7P3VYw5

OIDCScope "openid email profile org.cilogon.userinfo"
OIDCCryptoPassphrase X7iAVpP9c3vr3WTsxrd7

OIDCRedirectURI https://registry.myschool.edu/secure/redirect

<Location /secure/redirect>
  AuthType openid-connect
  Require valid-user
</Location>

Ports

The image listens for web traffic on ports 80 and 443. All requests on port 80 are redirected to port 443.

Running

See other documentation in this repository for details on how to orchestrate running this image with other images using an orchestration tool like Docker Compose, Docker Swarm, or Kubernetes.

To run this image:

docker run -d \
  --name comanage-registry \
  -e COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Julia \
  -e COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Janseen \
  -e COMANAGE_REGISTRY_ADMIN_USERNAME=http://cilogon.org/serverA/users/22981
  -v /opt/comanage-registry-local:/srv/comanage-registry/local \
  -v mod-auth-openidc.conf:/etc/apache2/conf-enabled/mod-auth-openidc.conf \
  -p 80:80 \
  -p 443:443 \
  comanage-registry:4.0.2-mod-auth-openidc-1

Logging

Apache HTTP Server and COmanage Registry log to the stdout and stderr of the container.

HTTPS Configuration

See the section on environment variables and the HTTPS_CERT_FILE and HTTPS_PRIVKEY_FILE variables.

Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) and associated private key file. For example

COPY cert.pem /etc/apache2/cert.pem
COPY privkey.pem /etc/apache2/privkey.pem