Protect only login page

[1tannerweir]

I want to protect only my login page with OpenID Connect (where it will then create a session for the user with an application specific account). Is it possible to accomplish this using the <Location /> parameter in the config file? I have all of my webpages stored in htdocs/example/ but only want to protect the "login.php" file within this directory. Is this possible without moving the "login.php" file to another directory?

The below parameters in the config file did not seem to work as I was intending. So far, I have only been able to get OpenID Connect to work by using the "/" wildcard location.
<Location /example/login.php>
AuthType openid-connect
Require valid-user

<Location /redirectURI/>
AuthType openid-connect
Require valid-user

[zandbelt]

the above should work, assuming that you've used closing tags </Location> correctly; if not, then please describe what the behaviour is

[1tannerweir]

I do have the closing <\Location tags. I can now see that the response from our OpenID Connect server is in the $_SERVER variable, so I guess mod_auth_openidc is working correctly. Whenever I have the whole website protected by mod_auth_openidc, my login page works after I click "Single Sign On" and the user is re-directed to the home page (before even seeing the login page, they are directed to the single sign on screen. After signing onto the single sign on screen, the website sign in screen appears, letting them login locally or just clicking the "single sign on" button, which they have already authenticated against).
Whenever I specify only the login page and redirect URI to be protected by mod_auth_openidc, my login page does not work with the SSO after pressing the Single Sign On button.

I can see that the $_SERVER['sub'] variable is still set correctly though, so I am not sure why my application is failing to copy that variable to the session to store the logged in user. Not sure why the mod_auth_openidc config file would have any affect on that

[1tannerweir]

My php error logs are giving errors saying that $_SERVER['sub'] does not exist, even though I see it printed on the screen. My login page uses AJAX and references another PHP page that has all of the login functions on it. Would I also need to include all the "embedded"/included PHP pages in the protected by mod_auth_openidc section?

That is all that makes sense to me from this scenario, since including all pages seems to work correctly.

[1tannerweir]

I broke out the functions onto another PHP page that I included in the protected section of the mod_auth_openidc config file. Even though the user never sees the redirect to those pages, I guess the way the browser loads them in the background requires that they are protected by mod_auth_openidc in order to get the header information.