OpenID alternatives and similar tools
Based on the "Tools and web interfaces" category.
Alternatively, view OpenID alternatives based on common mentions on social networks and blogs.
5.0 10.0 L2 OpenID VS Sambahttps://gitlab.com/samba-team/samba is the Official GitLab mirror of https://git.samba.org/samba.git -- Merge requests should be made on GitLab (not on GitHub)
4.7 9.4 L2 OpenID VS FreeIPAMirror of FreeIPA, an integrated security information management solution
2.5 8.2 OpenID VS BounCABounCA is a web tool to generate self-signed SSL certificates and setup a key infrastructure
- 9.7 OpenID VS ZITADELCloud-native Identity & Access Management solution providing a platform for secure authentication, authorization and identity management.
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of OpenID or a related project?
mod_auth_openidc is a certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality.
This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party (RP) towards an OpenID Connect Provider (OP). It relays end user authentication to a Provider and receives user identity information from that Provider. It then passes on that identity information (a.k.a. claims) to applications protected by the Apache web server and establishes an authentication session for the identified user.
The protected content, applications and services can be hosted by the Apache server itself or served from origin server(s) residing behind it by configuring Apache as a Reverse Proxy in front of those servers. The latter allows for adding OpenID Connect based authentication to existing applications/services/SPAs without modifying those applications, possibly migrating them away from legacy authentication mechanisms to standards-based OpenID Connect Single Sign On (SSO).
By default the module sets the
REMOTE_USER variable to the
[sub] claim, concatenated with the OP's Issuer
id_token claims are passed in HTTP headers and/or environment variables together with those
(optionally) obtained from the UserInfo endpoint. The provided HTTP headers and environment variables can be consumed by
applications protected by the Apache server.
Custom fine-grained authorization rules - based on Apache's
Require primitives - can be specified to match against the
set of claims provided in the
userinfo claims, see here.
Clustering for resilience and performance can be configured using one of the supported cache backends options as
For an exhaustive description of all configuration options, see the file
This file can also serve as an include file for
mod_auth_openidc is OpenID Connect certified and supports the following specifications:
- OpenID Connect Core 1.0 (Basic, Implicit, Hybrid and Refresh flows)
- OpenID Connect Discovery 1.0
- OpenID Connect Dynamic Client Registration 1.0
- OAuth 2.0 Multiple Response Type Encoding Practices 1.0
- OAuth 2.0 Form Post Response Mode 1.0
- RFC7 7636 - Proof Key for Code Exchange by OAuth Public Clients
- OpenID Connect Session Management 1.0 (implementers draft; see the Wiki for information on how to configure it)
- OpenID Connect Front-Channel Logout 1.0 (implementers draft)
- OpenID Connect Back-Channel Logout 1.0 (implementers draft)
Documentation can be found at the Wiki (including Frequently Asked Questions) at:
For questions, issues and suggestions use the Github Discussions forum at:
For commercial support contracts, professional services, training and use-case specific support please contact:
How to Use It
OpenID Connect SSO with Google+ Sign-In
Sample configuration for using Google as your OpenID Connect Provider running on
as the redirect_uri for the client through the Google API Console. You will also
have to enable the
Google+ API under
APIs & auth in the Google API console.
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration OIDCClientID <your-client-id-administered-through-the-google-api-console> OIDCClientSecret <your-client-secret-administered-through-the-google-api-console> # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content OIDCRedirectURI https://www.example.com/example/redirect_uri OIDCCryptoPassphrase <password> <Location /example/> AuthType openid-connect Require valid-user </Location>
Note if you want to securely restrict logins to a specific Google Apps domain you would not only
hd=<your-domain> setting to the
OIDCAuthRequestParams primitive for skipping the Google Account
Chooser screen, but you must also ask for the
OIDCScope and use a
authorization setting in the
Location primitive similar to:
OIDCScope "openid email" Require claim hd:<your-domain>
The above is an authorization example of an exact match of a provided claim against a string value. For more authorization options see the Wiki page on Authorization.
Quickstart with a generic OpenID Connect Provider
- install and load
mod_auth_openidc.soin your Apache server
- configure your protected content/locations with
OIDCRedirectURIto a "vanity" URL within a location that is protected by mod_auth_openidc
- register/generate a Client identifier and a secret with the OpenID Connect Provider and configure those in
- and register the
OIDCRedirectURIas the Redirect or Callback URI with your client at the Provider
OIDCProviderMetadataURLso it points to the Discovery metadata of your OpenID Connect Provider served on the
- configure a random password in
OIDCCryptoPassphrasefor session/state encryption purposes
LoadModule auth_openidc_module modules/mod_auth_openidc.so OIDCProviderMetadataURL <issuer>/.well-known/openid-configuration OIDCClientID <client_id> OIDCClientSecret <client_secret> # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content OIDCRedirectURI https://<hostname>/secure/redirect_uri OIDCCryptoPassphrase <password> <Location /secure> AuthType openid-connect Require valid-user </Location>
For details on configuring multiple providers see the Wiki.
Quickstart for Other Providers
See the Wiki for configuration docs for other OpenID Connect Providers:
- GLUU Server
- Azure AD
- Sign in with Apple
- Curity Identity Server
- Globus and more