From c0885bd9dec93c6f921607cdccd45ad54aa671cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ou=C5=A1ek?= <brousek@ics.muni.cz>
Date: Thu, 1 Jun 2023 11:42:54 +0200
Subject: [PATCH] fix: revert mod_auth_openidc part overriden by mod_oauth2

---
 .../Apache web server/mod_auth_openidc.md"    | 40 ++++++++++++++-----
 .../Apache web server/mod_auth_openidc.md     | 28 +++++++++++--
 2 files changed, 54 insertions(+), 14 deletions(-)

diff --git "a/docs-cs/Jin\303\251 aplikace/Apache web server/mod_auth_openidc.md" "b/docs-cs/Jin\303\251 aplikace/Apache web server/mod_auth_openidc.md"
index e450774..0f1b0cf 100644
--- "a/docs-cs/Jin\303\251 aplikace/Apache web server/mod_auth_openidc.md"	
+++ "b/docs-cs/Jin\303\251 aplikace/Apache web server/mod_auth_openidc.md"	
@@ -19,18 +19,38 @@ Jedná se o modul pro Apache web server pro připojení aplikace nebo webu bez z
 ## Konfigurace
 
 1. Nainstalujte následující balíčky (v některých Linuxových distribucích dostupné z apt repozitářů):
-   1. [liboauth2](https://github.com/zmartzone/liboauth2/releases)
-   2. [mod_oauth2](https://github.com/zmartzone/mod_oauth2/releases)
-   3. [mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc/releases)
+    1. [liboauth2](https://github.com/zmartzone/liboauth2/releases)
+    2. [mod_oauth2](https://github.com/zmartzone/mod_oauth2/releases)
+    3. [mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc/releases)
 2. Do konfigurace **Apache VirtualHost** (většinou v **/etc/apache2/sites-enabled/\*.conf**) vložte následující:
 
-```apacheconf
-   AuthType oauth2
-   OAuth2TokenVerify metadata %OIDC_WELL_KNOWN_URI% introspect.auth=client_secret_basic&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
-   OAuth2AcceptTokenIn header name=Authorization&type=bearer
-   require valid-user
-```
+    ```apacheconf
+    OIDCProviderMetadataURL %OIDC_WELL_KNOWN_URI%
+    OIDCClientID YOUR_CLIENT_ID
+    OIDCClientSecret YOUR_CLIENT_SECRET
+    OIDCRedirectURI https://sp.example.org/secure/redirect_uri
+    OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
+    OIDCScope "openid"
+    
+    <Location /secure/>
+        AuthType openid-connect
+        Require valid-user
+    </Location>
+    ```
+
+3. Pokud je podporováno PKCE, přidejte:
+
+    ```apacheconf
+    OIDCPKCEMethod S256
+    ```
+
+4. Do části Apache konfigurace, která zpřístupňuje aplikaci/web (např. blok Location, který obsahuje direktivu ProxyPass), přidejte:
+
+    ```apacheconf
+    AuthType openid-connect
+    Require valid-user
+    ```
 
 ## Další zdroje
 
-- Ukázková konfigurace s dalšími možnostmi nastavení: [https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf](https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf)
+Ukázková konfigurace s dalšími možnostmi nastavení: [https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf](https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf)
diff --git a/docs-en/Other applications/Apache web server/mod_auth_openidc.md b/docs-en/Other applications/Apache web server/mod_auth_openidc.md
index 1a538d9..f2ebc73 100644
--- a/docs-en/Other applications/Apache web server/mod_auth_openidc.md	
+++ b/docs-en/Other applications/Apache web server/mod_auth_openidc.md	
@@ -25,10 +25,30 @@ An Apache web server module for integrating applications or websites without OID
 2. Add the following to the **Apache VirtualHost** configuration (usually located in **/etc/apache2/sites-enabled/\*.conf**)
 
     ```apacheconf
-    AuthType oauth2
-    OAuth2TokenVerify metadata %OIDC_WELL_KNOWN_URI% introspect.auth=client_secret_basic&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
-    OAuth2AcceptTokenIn header name=Authorization&type=bearer
-    require valid-user
+    OIDCProviderMetadataURL %OIDC_WELL_KNOWN_URI%
+    OIDCClientID YOUR_CLIENT_ID
+    OIDCClientSecret YOUR_CLIENT_SECRET
+    OIDCRedirectURI https://sp.example.org/secure/redirect_uri
+    OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
+    OIDCScope "openid"
+    
+    <Location /secure/>
+        AuthType openid-connect
+        Require valid-user
+    </Location>
+    ```
+
+3. If PKCE is supported, add the following:
+
+    ```apacheconf
+    OIDCPKCEMethod S256
+    ```
+
+4. Into the block of Apache configuration, which serves your application/website (e.g. the location block which contains ProxyPass), add the following:
+
+    ```apacheconf
+    AuthType openid-connect
+    Require valid-user
     ```
 
 ## Additional resources
-- 
GitLab