Skip to main content

Apache 2.0

This integration guide shows you the basic OpenID Connect integration with ZITADEL and an Apache 2.0 server.

Setup PKCE client in ZITADEL​

  • Go to your organization and setup a new application with the type PKCE
  • When created go to the "Redirect Settings" and enable Development Mode
  • Add the Redirect Uri, f.e. http://localhost:8080/secure/callback
  • Add the Post Logout Uri, f.e. http://localhost:8080/index.html Configuration Redirect Settings

You can find the url to your discovery endpoint under "URLs": Discovery Endpoint

Configure Apache2​

Configure mod_auth_openidc​

We use the module mod_auth_openidc in this guide. You can find a minimal configuration in the official documentation.

The following parameters must be set with the values from ZITADEL.

OIDCProviderMetadataURL https://<your_domain>.zitadel.cloud/.well-known/openid-configuration
OIDCClientID <client_id, eg 227791....@apache_test>
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI <redirect_uri, eg http://localhost:8080/secure/callback>
OIDCCryptoPassphrase <very-secure-phrase>

OIDCScope "openid profile"
OIDCPKCEMethod S256

With the following parameters

ParameterDescriptionExample value
OIDCProviderMetadataURLIs the url to the discovery endpoint, which is typically located at {your-domain}/.well-known/openid-configurationhttps://<your_domain>.zitadel.cloud/.well-known/openid-configuration
OIDCClientIDIs the ID of the zitadel application. You can find it on the settings page of the application.123456789123@apache_test
OIDCRedirectURIUsers will be redirected to this page after successful login. If you are using localhost or any other non-https endpoint, make sure to enable development mode in ZITADEL.https://mysecureapp.io/secure/callback
OIDCCryptoPassphraseCreate a secure passphrase. Consult the module's documentation for more details....
OIDCScopeOpenID Connect scopes that should be included. You can find a list of all scopes in our documentation."openid profile"
OIDCPKCEMethodThe method should be set to S256S256

Secure a route​

If you want to secure a route / path then add do so by adding the following Location functionality with the directives:

<Location /secure/>
AuthType openid-connect
Require valid-user
</Location>

With the same functionality you can also specify if roles / permissions must be present on the user, or limit access to specific users. Please consult the official documentation on more information.

Handling logout​

Consult the official documentation on how to logout users. Or check out the example code for a minimal version.

Example code​

We provide a minimum boilerplate example to test the integration of ZITADEL with an Apache server. Follow the instructions in the readme.