I have several web sites running under Apache/CGI that need to authenticate users. The present mechanism is long past end of life, so I am looking to move to OpenID Connect. To make life easier, I want to use mod_auth_openidc rather than code something from scratch.
My organization supports OIDC directly. The tricky part is that we need to present the login form ourselves. So I have a small script that sends a login form, and an authentication handler that grabs the credentials and uses the REST service to authenticate them.
If I understand correctly, mod_auth_openidc associates its own session cookie with the OIDC token id/authorization code/access token, so that the user agent only ever has to know about the mod_auth_openidc_cookie.
Mod_auth_openidc doesn't seem to need more than minimal configuration in my situation. I am able to authenticate user credentials and get the token id/authorization code/access token from the OIDC privider service trivially. What I'm not clear on is how to send the user agent a response that gets them into the site if the credentials they present are good.
I have tried a 302 into the landing page of my application, sending just the token id in the iPlanet, but that doesn't work, because mod_auth_openidc doesn't see the the token id.