Within Auth0, set up a multi-page app.
Perhaps the most important issue I struggled with is that multiple OIDC providers probably won't work on the same box. Maybe someone can figure out, but because I had all one virtualhost/config, it just didn't allow me to filter one "app" on my OTRS box and then another "app" separately.
Maybe/maybe it won't make any difference to you, but what made it work for me is protecting the entire HTML DocumentRoot (/) and then unblocking where I didn't need OIDC. For good or bad, it's the same protection for the entire website except for the exceptions.
For the OTRS side, it's pretty easy to configure. Change Kernel\Config.pm to include (for agents):
Code: Select all
$Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
in apache2 (httpd) / mods_enabled/auth_openidc.conf:
Code: Select all
OIDCProviderIssuer https://[youdsite].auth0.com
OIDCProviderAuthorizationEndpoint https://[yoursite].auth0.com/authorize
OIDCProviderTokenEndpoint https://[yoursite].auth0.com/oauth/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://[yoursite].auth0.com/userinfo
OIDCProviderMetadataURL https://[yoursite].auth0.com/.well-known/openid-configuration
OIDCClientID [your client id]
OIDCClientSecret [APP Secret]
OIDCScope "openid email profile"
OIDCRedirectURI https://path.to.your.otrs.domain/
OIDCCryptoPassphrase MakeOneUpForYourself
OIDCCookiePath /
<Location />
AuthType openid-connect
Require valid-user
LogLevel debug
</Location>
<Location /otrs>
AuthType openid-connect
Require valid-user
LogLevel debug
</Location>
<Files "customer.pl">
Satisfy any
Require all granted
</Files>
Also may need to comment zzz_otrs in <Location /otrs>:
Code: Select all
<IfVersion >= 2.4>
# Require all granted
</IfVersion>
Code: Select all
my $User = $ENV{'OIDC_CLAIM_nickname'};
Please ask questions in the forums.