How to use oidc with icingaweb2

fireba11 · October 29, 2021, 6:15am

There seems to be a way to use Open ID Connect (OIDC) with icingaweb2 …
i’m very interested in this to allow all my users to login to view the current state of things.
2FA for Icinga Web 2 - #22 by valentijnscholten hints it’s possible, GitHub - zmartzone/mod_auth_openidc: OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x explains how to configure the module for different cases (azureAD in my case). Now how to configure icingaweb2 to actually use that?
Can someone provide an example? Also seems to be something that should get added to the docs once figured out

dgoetz · October 29, 2021, 6:59am

From what I see the mod sets the REMOTE_USER, so it would be as simple as configuring Apache HTTPd to use the module and then in Icinga Web 2 configure an external authentication. Authentication - Icinga Web 2

Based on how the user is set or what your options with mod_auth_openidc are, Icinga Web 2’s option strip_username_regexp can be useful to get nice usernames.

For permissions you still need to configure roles and this would be still better matched to a group from LDAP than manually managed in Icinga Web 2.

sastorsl · April 18, 2023, 2:35pm

Our use case was slightly different.

We had OIDC configured with mod_auth_mellon on another webserver (preceeding icinga)
We wanted to replace LDAP auth on the Icinga server itself

On the OIDC webserver we save the REMOTE_USER environment variable to an HTTP header named X-REMOTE-USER - name it whatever you like.

Then, on the icinga-host we grab the HTTP header, and add it as an apache environment variable.
In addition you want to block which IP-adresses can connect to the icinga-host so people can’t (easily) bypass your auth.

The OICD host

RewriteRule ^/icingaweb2$ https://%{HTTP_HOST}/icingaweb2/ [L,R=301]
<Location /icingaweb2/>
    # https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
    # Use apache look ahead to get the REMOTE_USER from OIDC and save to the PROXY_USER environment variable
    RewriteRule ^ - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
    # Add the PROXY_USER env var to an HTTP *Request* header (passing it on in to icinga)
    RequestHeader set X-REMOTE-USER "%{PROXY_USER}e"
    # We're using VirtualHost entries on the icinga-host, so have to preserve the Host header, ymmv
    ProxyPreserveHost On
    ProxyPass        http://icinga-host/icingaweb2/ connectiontimeout=5 timeout=60
    ProxyPassReverse http://icinga-host/icingaweb2/
</Location>

On the icinga-host

# <snip> other icinga http server config

# Read the X-REMOTE-USER (HTTP) header and save it to the REMOTE_USER environment variable
# The second parameter is a regex, you can fine tune this to your liking
# E.g. `"(.+)@.*"` - to remove everything after the (at) sign @, again ymmv
SetEnvIf X-REMOTE-USER "(.*)" REMOTE_USER=$0

    # We Require two things
    # All are granted
    # ...as long as they come from this set of IP-adresses,
    # ...those would be the *preceeding* (OIDC) webserver
    <Location "/icingaweb2">
        <RequireAll>
            Require all granted
            <RequireAny>
                Require local
                # Require ip 10.0.0.0/24
                Require ip 192.168.1.10
                Require ip 192.168.1.11
            </RequireAny>
        </RequireAll>
    </Location>

Now I just need to update roles.ini …