Simple authorization of authenticated users by linux groups or roles in a file?

[chrisinmtown]

I need to restrict which openidc-authenticated users can access a web site. I read about mod-auth-openidc authorization here: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization

Please tell me, is there a basic option to restrict users based on local resources such as flat files or linux groups? Maybe a separate Apache HTTPD module that will mesh well with open id connect?

I see from the documentation that I can restrict authenticated users based on claims provided by the provider or from an LDAP server via mod_authnz_ldap. My internal provider doesn't support authorization claims like this, just authentication of everyone in the company. If there is no simple option, maybe I can stand up a LDAP server; do you have a recommendation?

Thanks in advance.

[zandbelt]

Whatever you'd put into that file, you can put directly in the Apache config.

[zandbelt]

one can use Include https://httpd.apache.org/docs/2.4/mod/core.html#include

[chrisinmtown]

Thanks for mentioning the Apache HTTPD Include directive but that's still functionally the Apache HTTPD config in my opinion, and I believe a change to an Include-d file still requires restart of HTTPD.

[hmoffatt]

All or most of those auth directives can go in a .htaccess file instead which doesn't require a server restart.

[chrisinmtown]

Would you please show an example of this?

[hmoffatt]

I didn't try, but based on https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#2-mod_authnz_ldap I think you should be able to write just Require user <username> where username is whatever the username is from your IDP.

You can put that in .htaccess just the same as in a or clause in your apache config.

If that works then I think you should be able to build a group file listing the users (since your IDP doesn't provide any group information?) and use that. See https://httpd.apache.org/docs/2.4/mod/mod_authz_groupfile.html