Fork me on GitHub

Introduction : The Apache OpenID Module

I'm looking for additional contributers to take this project over! Email me (I'm bamuller on gmail) if you can help out. Thanks!

mod_auth_openid is an authentication module for the Apache 2 webserver. It handles the functions of an OpenID consumer as specified in the OpenID 2.0 specification. See the FAQ for more information. Download the current release from the the releases page.

You can, now, specify an external program for authorization. That is, after a user has authenticated themselves their identity can be passed to an external program that then returns a value that either authorize them or not to see the resource being protected. See AuthUserProgram for more information.


These docs assume that you have Apache 2 installed and running already. Linux is the only officially supported operating system. YMMV on OSX/Irix/Solaris/etc.


Get The Source

You can download the current stable release from the releases page or use git to get a development release:

git clone git://

Note that if you download a development release you will need current versions of the autotools installed, and you must run ./ first before following these instructions.


Enter the mod_auth_openid directory and type:


You can use the following to see additional configuration options:

./configure --help


su root
make install

Verify that the module has been enabled in your ‘‘httpd.conf’’:

# note that the path to your module might be different
LoadModule authopenid_module /usr/lib/apache2/modules/

Depending on where you specify your AuthOpenIDDBLocation (see below), you may need to touch the db file as the user that’s running Apache (or chown the directory it’s being stored in). For instance:

# /tmp/mod_auth_openid.db is the default location for the DB
su root
touch /tmp/mod_auth_openid.db
chown www-data /tmp/mod_auth_openid.db


Place the following directive in either a Directory, Location, or File directive in your httpd.conf (or in an .htaccess file if you have AllowOverride AuthConfig):

AuthType			  OpenID
require valid-user

The valid-user constraint can be replaced with require user if you want to restrict access to a specific user.

The following are optional:

AuthOpenIDDBLocation              /some/location/my_file.db
AuthOpenIDTrusted                 ^$ ^$
AuthOpenIDDistrusted              ^http://hackerdomain ^$ 
AuthOpenIDUseCookie               Off
AuthOpenIDCookieName              example_cookie_name
AuthOpenIDLoginPage               /login.html
AuthOpenIDCookieLifespan          3600 # one hour
AuthOpenIDUserProgram             /path/to/authorization/program
AuthOpenIDCookiePath              /path/to/protect
AuthOpenIDSingleIdP      # use Google's OpenID
AuthOpenIDAXRequire               email @example\.com$
AuthOpenIDAXUsername              email # username is email address
AuthOpenIDSecureCookie            On    # always for production sites!

Next, restart apache:

/path/to/apache2/bin/apachectl stop
/path/to/apache2/bin/apachectl start

After a user authenticates themselves, the user’s identity will be available in the REMOTE_USER cgi environment variable. A cookie named open_id_session_id is saved to maintain each user’s session.


If you’re upgrading, make sure you delete the old database file before upgrading and after stopping apache (the db file is in /tmp/mod_auth_openid.db by default).

Attribute Exchange

See the AttributeExchange page for more information.


First, read the FAQ. If it’s a bug, report it by creating a new ticket (link at top). If it’s a complaint or question, email the mailing list.