Apache 2.0
This integration guide shows you the basic OpenID Connect integration with ZITADEL and an Apache 2.0 server.
Setup PKCE client in ZITADEL​
- Go to your organization and setup a new application with the type PKCE
- When created go to the "Redirect Settings" and enable Development Mode
- Add the Redirect Uri, f.e.
http://localhost:8080/secure/callback
- Add the Post Logout Uri, f.e.
http://localhost:8080/index.html
You can find the url to your discovery endpoint under "URLs":
Configure Apache2​
Configure mod_auth_openidc​
We use the module mod_auth_openidc
in this guide.
You can find a minimal configuration in the official documentation.
The following parameters must be set with the values from ZITADEL.
OIDCProviderMetadataURL https://<your_domain>.zitadel.cloud/.well-known/openid-configuration
OIDCClientID <client_id, eg 227791....@apache_test>
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI <redirect_uri, eg http://localhost:8080/secure/callback>
OIDCCryptoPassphrase <very-secure-phrase>
OIDCScope "openid profile"
OIDCPKCEMethod S256
With the following parameters
Parameter | Description | Example value |
---|---|---|
OIDCProviderMetadataURL | Is the url to the discovery endpoint, which is typically located at {your-domain}/.well-known/openid-configuration | https://<your_domain>.zitadel.cloud/.well-known/openid-configuration |
OIDCClientID | Is the ID of the zitadel application. You can find it on the settings page of the application. | 123456789123@apache_test |
OIDCRedirectURI | Users will be redirected to this page after successful login. If you are using localhost or any other non-https endpoint, make sure to enable development mode in ZITADEL. | https://mysecureapp.io/secure/callback |
OIDCCryptoPassphrase | Create a secure passphrase. Consult the module's documentation for more details. | ... |
OIDCScope | OpenID Connect scopes that should be included. You can find a list of all scopes in our documentation. | "openid profile" |
OIDCPKCEMethod | The method should be set to S256 | S256 |
Secure a route​
If you want to secure a route / path then add do so by adding the following Location functionality with the directives:
<Location /secure/>
AuthType openid-connect
Require valid-user
</Location>
With the same functionality you can also specify if roles / permissions must be present on the user, or limit access to specific users. Please consult the official documentation on more information.
Handling logout​
Consult the official documentation on how to logout users. Or check out the example code for a minimal version.
Example code​
We provide a minimum boilerplate example to test the integration of ZITADEL with an Apache server. Follow the instructions in the readme.