Apache + mod_auth_openidc, legacy grant types and OIDC conformance

We have a few legacy apps that do not (and will not) support OAuth/OIDC, SAML, or WS-Fed. For these apps we put an Apache instance in front of them and use mod_auth_openidc to enforce authentication with Auth0.

It appears the module requires OIDC conformance to be disabled, and it relies on one or more of the legacy grant types. We haven’t confirmed precisely which legacy grant type it relies on (and yes, there are also a bunch of other grant types in the screencap that should be disabled!)

331260×510 19.7 KB

Just wondering what we should be concerned about here. Will the legacy grant types eventually go away? Is this a big deal? Are there alternative solutions we should look at?

both Auth0 and mod_auth_openidc are OpenID Connect certified; it should not be required to switch to legacy grant types; why do you think so?

I’m afraid I’m functioning as a middle-man here so I’m short on the details. We have an infrastructure team that set this up (apache + mod_auth_openidc in front of a non-Auth0 app) and from what I know, they insisted one or more legacy grant types (and disabling OIDC conformance) were required for this solution to work.

I’ll replicate the setup in my local environment and do my own testing.

Thanks.