Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2020-09-03 01:15:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.3399 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Thu Sep 3 01:15:52 2020 rev:11 rq:831365 version:2.4.4
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2020-08-12 10:29:52.412028787 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.3399/apache2-mod_auth_openidc.changes
2020-09-03 01:16:31.540522877 +0200
@@ -1,0 +2,27 @@
+Tue Sep 1 23:57:08 UTC 2020 - Michael Ströder <[email protected]>
+
+- Update to version 2.4.4
+ * Security
+ - prevent XSS and open redirect on OIDC session management OP iframe,
+ introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew
Brady
+ - add OIDCStateCookiePrefix primitive for the state cookie prefix to
anonymise the state cookie name
+ * Bugfixes
+ - fix double Set-Cookie behaviour when using OIDCSessionType client-cookie,
+ calling the session info hook and writing out a session update (twice);
thanks @deisser
+ - reverse order of creating HTML response and writing the (client-type)
+ session cookie in the session info hook so the session data is actually
saved; thanks @deisser
+ - delete state cookie when it cannot be decoded/decrypted
+ - avoid an Apache authorisation error and HTTP 500 when logout is
triggered by a different RP
+ * Features
+ - add conditional expression to OIDCUnAuthAction to override
auto-detection of
+ non-browser requests; see #479; thanks @raro42 and @marcstern
+ * Other
+ - fixes for various compiler warnings/issues (older and newer versions of
GCC)
+ - add grant_types to dynamic client registration request [OIDC conformance
test suite]
+ - don't send access_token in user info request when method is set to POST
+ [OIDC conformance test suite]
+ - add recommended cache headers on backchannel logout response
+
https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8
[OIDC conformance test suite]
+ - allow Content-Type check on backchannel logout to have postfixes (utf-8
etc.) [OIDC conformance test suite]
+
+-------------------------------------------------------------------
Old:
----
apache2-mod_auth_openidc-2.4.3.tar.gz
New:
----
apache2-mod_auth_openidc-2.4.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.DHc80D/_old 2020-09-03 01:16:32.348523174 +0200
+++ /var/tmp/diff_new_pack.DHc80D/_new 2020-09-03 01:16:32.352523176 +0200
@@ -19,7 +19,7 @@
%define apxs %{_sbindir}/apxs2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
Name: apache2-mod_auth_openidc
-Version: 2.4.3
+Version: 2.4.4
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ apache2-mod_auth_openidc-2.4.3.tar.gz ->
apache2-mod_auth_openidc-2.4.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/.github/FUNDING.yml
new/mod_auth_openidc-2.4.4/.github/FUNDING.yml
--- old/mod_auth_openidc-2.4.3/.github/FUNDING.yml 2020-06-10
18:14:24.000000000 +0200
+++ new/mod_auth_openidc-2.4.4/.github/FUNDING.yml 1970-01-01
01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-# These are supported funding model platforms
-
-github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1,
user2]
-patreon: mod_auth_openidc
-open_collective: # Replace with a single Open Collective username
-ko_fi: # Replace with a single Ko-fi username
-tidelift: # Replace with a single Tidelift platform-name/package-name e.g.,
npm/babel
-custom: # Replace with a single custom sponsorship URL
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/.travis.yml
new/mod_auth_openidc-2.4.4/.travis.yml
--- old/mod_auth_openidc-2.4.3/.travis.yml 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/.travis.yml 2020-09-01 12:17:38.000000000
+0200
@@ -2,6 +2,10 @@
dist: trusty
+arch:
+ - amd64
+ - ppc64le
+
addons:
apt:
packages:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/AUTHORS
new/mod_auth_openidc-2.4.4/AUTHORS
--- old/mod_auth_openidc-2.4.3/AUTHORS 2020-06-10 18:14:24.000000000 +0200
+++ new/mod_auth_openidc-2.4.4/AUTHORS 2020-09-01 12:17:38.000000000 +0200
@@ -62,3 +62,5 @@
absynth76 <https://github.com/absynth76>
Aaron Jones <https://github.com/wwaaron>
Bryan Ingram <https://github/bcingram>
+ Tim Deisser <https://github.com/deisser>
+ Peter Hurtenbach <https://github.com/Peter0x48>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/ChangeLog
new/mod_auth_openidc-2.4.4/ChangeLog
--- old/mod_auth_openidc-2.4.3/ChangeLog 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/ChangeLog 2020-09-01 12:17:38.000000000
+0200
@@ -1,3 +1,52 @@
+09/01/2020
+- avoid GCC 9 compiler warnings
+- release 2.4.4
+
+08/28/2020
+- allow Content-Type check on backchannel logout to have postfixes (utf-8 etc)
+- terminate backchannel logout with DONE instead of OK to avoid authz error 500
+- bump to 2.4.4rc8
+
+08/18/2020
+- add recommended cache headers on backchannel logout response
+ https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8
+- bump to 2.4.4rc7
+
+08/10/2020
+- add new OIDCStateCookiePrefix primitive for the state cookie prefix
+
+08/01/2020
+- add conditional expression to OIDCUnAuthAction; see #479; thanks @raro42 and
@marcstern
+- bump to 2.4.4rc6
+
+07/31/2020
+- reverse order of creating HTML response and adding session cookie; thanks
@deisser
+- bump to 2.4.4rc5
+
+07/30/2020
+- fix doubled Set-Cookie behaviour when using `client-cookie`, calling the
session info hook
+ and writing out a session update (twice); thanks @deisser
+- bump to 2.4.4rc4
+
+07/27/2020
+- prevent XSS and open redirect on OIDC session managemement OP iframe with
OIDCRedirectURLsAllowed
+ thanks Andrew Brady
+- bump to 2.4.4rc3
+
+07/22/2020
+- delete state cookie when it cannot be decoded/decrypted
+- bump to 2.4.4rc2
+
+07/03/2020
+- fix for loop initial declarations to not require c99 for compilation (RHEL 6)
+- add ap_expr.h include in stub.c (RHEL 6)
+- bump to 2.4.4rc1
+
+06/30/2020
+- add grant_types to dynamic client registration request
+- don't send access_token in user info request when method is set to POST;
conform OIDC test suite 4.0.5
+- bump to 2.4.4rc0
+
06/10/2020
- prevent open redirect on refresh token requests
add new OIDCRedirectURLsAllowed primitive to handle post logout and
refresh-return-to validation
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/README.md
new/mod_auth_openidc-2.4.4/README.md
--- old/mod_auth_openidc-2.4.3/README.md 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/README.md 2020-09-01 12:17:38.000000000
+0200
@@ -48,12 +48,6 @@
Support
-------
-#### Give back to mod_auth_openidc
-Please consider giving back by sponsoring mod_auth_openidc
development/maintenance/continuity and to express
-your gratitude as a happy user or company.
-See: https://www.patreon.com/mod_auth_openidc
-Sponsored by: [GLUU](https://www.gluu.org)
-
#### Community Support
For generic questions, see the Wiki pages with Frequently Asked Questions at:
[https://github.com/zmartzone/mod_auth_openidc/wiki](https://github.com/zmartzone/mod_auth_openidc/wiki)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/auth_openidc.conf
new/mod_auth_openidc-2.4.4/auth_openidc.conf
--- old/mod_auth_openidc-2.4.3/auth_openidc.conf 2020-06-10
18:14:24.000000000 +0200
+++ new/mod_auth_openidc-2.4.4/auth_openidc.conf 2020-09-01
12:17:38.000000000 +0200
@@ -484,6 +484,12 @@
# state cookie: Lax
# session cookie: first time set Lax, updates (e.g. after inactivity
timeout) Strict
# x_csrf discovery: Strict:
+#
+# The default `SameSite=None` cookie appendix on `Set-Cookie` response headers
can be
+# conditionally overridden using an environment variable in the Apache config
as in:
+# SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
+# (since version 2.4.1)
+#
# When not defined the default is Off.
#OIDCCookieSameSite [On|Off]
@@ -510,6 +516,10 @@
# When not defined, the default is 7 and "false", thus the oldest cookie(s)
will not be deleted.
#OIDCStateMaxNumberOfCookies <number> [false|true]
+# Define the cookie prefix for the state cookie.
+# When not defined the default is "mod_auth_openidc_state_".
+#OIDCStateCookiePrefix <cookie-prefix>
+
########################################################################################
#
# Session Settings (only relevant in an OpenID Connect Relying Party setup)
@@ -749,14 +759,38 @@
#OIDCOutgoingProxy <host>[:<port>]
# Defines the action to be taken when an unauthenticated request is made.
+#
# "auth" means that the user is redirected to the OpenID Connect Provider or
Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
# "407" means that HTTP 407 Proxy Authentication Required is returned
# "410" means that HTTP 410 Gone is returned
# "pass" means that an unauthenticated request will pass but claims will still
be passed when a user happens to be authenticated already
+#
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript
calls and for "anonymous access"
-# When not defined the default "auth" is used.
-#OIDCUnAuthAction [auth|pass|401|407|410]
+#
+# When not defined the default is "auth" with auto-detection of XML HTTP
requests, which would get "401".
+# The default auto-detection algorithm looks for the "X-Requested-With:
XMLHttpRequest" header/value,
+# and/or the absence of "Accept" header with any of the values "text/html"
"application/xhtml+xml" or "*/*"
+# and returns 401 for such non-browser/non-html clients. See:
https://github.com/zmartzone/mod_auth_openidc/wiki/Cookies#tldr
+#
+# Since verson 2.4.4 a boolean Apache expression as the second parameter to
specify which requests
+# need to match to return the configured value in the first parameter to
override the default "auth".
+# See also: https://httpd.apache.org/docs/2.4/expr.html.
+# E.g.:
+# OIDCUnAuthAction 401 "%{HTTP_USER_AGENT} =~ /curl/"
+# to return 401 for cURL based user agents and "auth" for any other
browsers/user agents.
+# OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest'"
+# to effectively override the default XML request detection algorithm by
ignoring the Accept headers
+# OIDCUnAuthAction 401 "%{HTTP_ACCEPT} !~ m#text/html#"
+# to return 401 for all user agents that do not send an Accept header that
includes a "text/html" value
+# OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' || ( (
%{HTTP_ACCEPT} !~ m#text/html# ) && ( %{HTTP_ACCEPT} !~
m#application/xhtml\+xml# ) && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )"
+# just as a more complex example, it equals the default XML request detection
algorithm
+# OIDCUnAuthAction auth true
+# To disable auto-detection of XML HTTP request altogether and uncondtionally
return "auth" for all clients.
+# Note that actually *any* expression value in "OIDCUnAuthAction auth <expr>"
will *always* render "auth"
+# (even when set to "false"...) because of the default, so using an <expr>
value (other than "true") only
+# makes sense in combination with one of the values other than "auth".
+#OIDCUnAuthAction [auth|pass|401|407|410] [<expr>]
# Defines the action to be taken when an unauthorized request is made i.e. the
user is authenticated but
# does not meet the `Require claim *:*` directives or similar.
@@ -835,7 +869,8 @@
#OIDCStateInputHeaders [none|user-agent|x-forwarded-for|both]
# Define one or more regular expressions that specify URLs (or domains)
allowed for post logout and
-# other redirects such as the "return_to" value on refresh token requests,
e.g.:
+# other redirects such as the "return_to" value on refresh token requests, and
the "login_uri" value
+# on session management based logins through the OP iframe, e.g.:
# OIDCRedirectURLsAllowed ^https://www.example.com
^https://(\w+).example.org ^https://example.net/app
# or:
# OIDCRedirectURLsAllowed ^https://www.example.com/logout$
^https://www.example.com/app/return_to$
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/configure.ac
new/mod_auth_openidc-2.4.4/configure.ac
--- old/mod_auth_openidc-2.4.3/configure.ac 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/configure.ac 2020-09-01 12:17:38.000000000
+0200
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.3],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.4],[[email protected]])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/cache/common.c
new/mod_auth_openidc-2.4.4/src/cache/common.c
--- old/mod_auth_openidc-2.4.3/src/cache/common.c 2020-06-10
18:14:24.000000000 +0200
+++ new/mod_auth_openidc-2.4.4/src/cache/common.c 2020-09-01
12:17:38.000000000 +0200
@@ -661,8 +661,9 @@
out:
/* log the result */
msg = apr_psprintf(r->pool, "%d bytes in %s cache backend for %skey %s",
- value ? (int) strlen(value) : 0, cfg->cache->name,
- encrypted ? "encrypted " : "", key);
+ (value ? (int) strlen(value) : 0),
+ (cfg->cache->name ? cfg->cache->name : ""),
+ (encrypted ? "encrypted " : ""), (key ? key : ""));
if (rc == TRUE)
oidc_debug(r, "successfully stored %s", msg);
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/config.c
new/mod_auth_openidc-2.4.4/src/config.c
--- old/mod_auth_openidc-2.4.3/src/config.c 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/src/config.c 2020-09-01 12:17:38.000000000
+0200
@@ -172,6 +172,8 @@
#define OIDC_DEFAULT_REFRESH_ACCESS_TOKEN_BEFORE_EXPIRY -1
/* default setting for calculating the fingerprint of the state from request
headers during authentication */
#define OIDC_DEFAULT_STATE_INPUT_HEADERS (OIDC_STATE_INPUT_HEADERS_USER_AGENT
| OIDC_STATE_INPUT_HEADERS_X_FORWARDED_FOR)
+/* default prefix of the state cookie that binds the state in the
authorization request/response to the browser */
+#define OIDC_DEFAULT_STATE_COOKIE_PREFIX "mod_auth_openidc_state_"
#define OIDCProviderMetadataURL "OIDCProviderMetadataURL"
#define OIDCProviderIssuer "OIDCProviderIssuer"
@@ -274,6 +276,7 @@
#define OIDCRefreshAccessTokenBeforeExpiry
"OIDCRefreshAccessTokenBeforeExpiry"
#define OIDCStateInputHeaders "OIDCStateInputHeaders"
#define OIDCRedirectURLsAllowed "OIDCRedirectURLsAllowed"
+#define OIDCStateCookiePrefix "OIDCStateCookiePrefix"
extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
@@ -286,6 +289,7 @@
char *cookie;
char *authn_header;
int unauth_action;
+ ap_expr_info_t *unauth_expression;
int unautz_action;
apr_array_header_t *pass_cookies;
apr_array_header_t *strip_cookies;
@@ -300,6 +304,7 @@
char *path_scope;
int refresh_access_token_before_expiry;
int logout_on_error_refresh;
+ char *state_cookie_prefix;
} oidc_dir_cfg;
#define OIDC_CONFIG_DIR_RV(cmd, rv) rv != NULL ? apr_psprintf(cmd->pool,
"Invalid value for directive '%s': %s", cmd->directive->directive, rv) : NULL
@@ -920,10 +925,20 @@
* define how to act on unauthenticated requests
*/
static const char * oidc_set_unauth_action(cmd_parms *cmd, void *m,
- const char *arg) {
+ const char *arg1, const char *arg2) {
oidc_dir_cfg *dir_cfg = (oidc_dir_cfg *) m;
- const char *rv = oidc_parse_unauth_action(cmd->pool, arg,
+ const char *expr_err = NULL;
+ const char *rv = oidc_parse_unauth_action(cmd->pool, arg1,
&dir_cfg->unauth_action);
+ if ((rv == NULL) && (arg2 != NULL)) {
+ dir_cfg->unauth_expression = ap_expr_parse_cmd(cmd, arg2,
+ AP_EXPR_FLAG_DONT_VARY &
AP_EXPR_FLAG_RESTRICTED, &expr_err,
+ NULL);
+ if (expr_err != NULL) {
+ rv = apr_pstrcat(cmd->temp_pool, "cannot parse
expression: ",
+ expr_err, NULL);
+ }
+ }
return OIDC_CONFIG_DIR_RV(cmd, rv);
}
@@ -1153,6 +1168,17 @@
return dir_cfg->logout_on_error_refresh;
}
+char *oidc_cfg_dir_state_cookie_prefix(request_rec *r) {
+ oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+ &auth_openidc_module);
+ if ((dir_cfg->state_cookie_prefix == NULL)
+ || ((dir_cfg->state_cookie_prefix != NULL)
+ && (apr_strnatcmp(dir_cfg->state_cookie_prefix,
OIDC_CONFIG_STRING_UNSET)
+ == 0)))
+ return OIDC_DEFAULT_STATE_COOKIE_PREFIX;
+ return dir_cfg->state_cookie_prefix;
+}
+
void oidc_cfg_provider_init(oidc_provider_t *provider) {
provider->metadata_url = NULL;
provider->issuer = NULL;
@@ -1821,6 +1847,7 @@
c->cookie_path = OIDC_CONFIG_STRING_UNSET;
c->authn_header = OIDC_CONFIG_STRING_UNSET;
c->unauth_action = OIDC_CONFIG_POS_INT_UNSET;
+ c->unauth_expression = NULL;
c->unautz_action = OIDC_CONFIG_POS_INT_UNSET;
c->pass_cookies = NULL;
c->strip_cookies = NULL;
@@ -1835,6 +1862,7 @@
c->path_scope = NULL;
c->refresh_access_token_before_expiry = OIDC_CONFIG_POS_INT_UNSET;
c->logout_on_error_refresh = OIDC_CONFIG_POS_INT_UNSET;
+ c->state_cookie_prefix = OIDC_CONFIG_STRING_UNSET;
return (c);
}
@@ -1950,9 +1978,29 @@
int oidc_dir_cfg_unauth_action(request_rec *r) {
oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
&auth_openidc_module);
+
+ int rc = 0;
+ const char *err_str = NULL;
if (dir_cfg->unauth_action == OIDC_CONFIG_POS_INT_UNSET)
return OIDC_DEFAULT_UNAUTH_ACTION;
- return dir_cfg->unauth_action;
+
+ if (dir_cfg->unauth_expression == NULL)
+ return dir_cfg->unauth_action;
+
+ rc = ap_expr_exec(r, dir_cfg->unauth_expression, &err_str);
+
+ if (rc < 0) {
+ oidc_warn(r, "executing expression failed");
+ return OIDC_DEFAULT_UNAUTH_ACTION;
+ }
+
+ return (rc > 0) ? dir_cfg->unauth_action : OIDC_DEFAULT_UNAUTH_ACTION;
+}
+
+apr_byte_t oidc_dir_cfg_unauth_expr_is_set(request_rec *r) {
+ oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+ &auth_openidc_module);
+ return (dir_cfg->unauth_expression != NULL) ? TRUE : FALSE;
}
int oidc_dir_cfg_unautz_action(request_rec *r) {
@@ -1997,6 +2045,9 @@
c->unauth_action =
add->unauth_action != OIDC_CONFIG_POS_INT_UNSET ?
add->unauth_action :
base->unauth_action;
+ c->unauth_expression =
+ add->unauth_expression != NULL ?
+ add->unauth_expression :
base->unauth_expression;
c->unautz_action =
add->unautz_action != OIDC_CONFIG_POS_INT_UNSET ?
add->unautz_action :
base->unautz_action;
@@ -2047,6 +2098,10 @@
add->logout_on_error_refresh :
base->logout_on_error_refresh;
+ c->state_cookie_prefix =
+ (apr_strnatcmp(add->state_cookie_prefix, OIDC_CONFIG_STRING_UNSET)
!= 0) ?
+ add->state_cookie_prefix : base->state_cookie_prefix;
+
return (c);
}
@@ -3088,7 +3143,7 @@
(void *) APR_OFFSETOF(oidc_dir_cfg, cookie),
RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
"Define the cookie name for the session
cookie."),
- AP_INIT_TAKE1(OIDCUnAuthAction,
+ AP_INIT_TAKE12(OIDCUnAuthAction,
oidc_set_unauth_action,
(void *) APR_OFFSETOF(oidc_dir_cfg,
unauth_action),
RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
@@ -3186,5 +3241,11 @@
RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
"Specify one or more regular expressions that
define URLs allowed for post logout and other redirects."),
+ AP_INIT_TAKE1(OIDCStateCookiePrefix,
+ ap_set_string_slot,
+ (void *) APR_OFFSETOF(oidc_dir_cfg,
state_cookie_prefix),
+ RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
+ "Define the cookie prefix for the state
cookie."),
+
{ NULL }
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/jose.c
new/mod_auth_openidc-2.4.4/src/jose.c
--- old/mod_auth_openidc-2.4.3/src/jose.c 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/src/jose.c 2020-09-01 12:17:38.000000000
+0200
@@ -1448,6 +1448,7 @@
cjose_err err;
json_t *json = NULL, *tempArray = NULL;
json_error_t json_error;
+ int i = 0;
if (!oidc_jwk) {
oidc_jose_error(oidc_err,
@@ -1477,7 +1478,7 @@
oidc_jose_error(oidc_err, "json_array failed");
goto to_json_cleanup;
}
- for (int i = 0; i < oidc_jwk->x5c_count; i++) {
+ for (i = 0; i < oidc_jwk->x5c_count; i++) {
if (json_array_append_new(tempArray,
json_string((char *) oidc_jwk->x5c[i]))
== -1) {
oidc_jose_error(oidc_err, "json_array_append
failed");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/metadata.c
new/mod_auth_openidc-2.4.4/src/metadata.c
--- old/mod_auth_openidc-2.4.3/src/metadata.c 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/src/metadata.c 2020-09-01 12:17:38.000000000
+0200
@@ -101,6 +101,7 @@
#define OIDC_METADATA_CLIENT_NAME
"client_name"
#define OIDC_METADATA_REDIRECT_URIS
"redirect_uris"
#define OIDC_METADATA_RESPONSE_TYPES
"response_types"
+#define OIDC_METADATA_GRANT_TYPES
"grant_types"
#define OIDC_METADATA_TOKEN_ENDPOINT_AUTH_METHOD
"token_endpoint_auth_method"
#define OIDC_METADATA_CONTACTS "contacts"
#define OIDC_METADATA_INITIATE_LOGIN_URI
"initiate_login_uri"
@@ -506,6 +507,10 @@
}
json_object_set_new(data, OIDC_METADATA_RESPONSE_TYPES, response_types);
+ json_object_set_new(data, OIDC_METADATA_GRANT_TYPES,
+ json_pack("[s, s, s]", "authorization_code", "implicit",
+ "refresh_token"));
+
if (provider->token_endpoint_auth != NULL) {
json_object_set_new(data,
OIDC_METADATA_TOKEN_ENDPOINT_AUTH_METHOD,
json_string(provider->token_endpoint_auth));
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/mod_auth_openidc.c
new/mod_auth_openidc-2.4.4/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.3/src/mod_auth_openidc.c 2020-06-10
18:14:24.000000000 +0200
+++ new/mod_auth_openidc-2.4.4/src/mod_auth_openidc.c 2020-09-01
12:17:38.000000000 +0200
@@ -74,7 +74,7 @@
#include "mod_auth_openidc.h"
-#define ERROR 2
+#define OIDC_REFRESH_ERROR 2
static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c,
oidc_session_t *session, const char *url);
@@ -289,7 +289,7 @@
* return the name for the state cookie
*/
static char *oidc_get_state_cookie_name(request_rec *r, const char *state) {
- return apr_psprintf(r->pool, "%s%s", OIDC_STATE_COOKIE_PREFIX, state);
+ return apr_psprintf(r->pool, "%s%s",
oidc_cfg_dir_state_cookie_prefix(r), state);
}
/*
@@ -745,7 +745,7 @@
while (cookie != NULL) {
while (*cookie == OIDC_CHAR_SPACE)
cookie++;
- if (strstr(cookie, OIDC_STATE_COOKIE_PREFIX) == cookie)
{
+ if (strstr(cookie, oidc_cfg_dir_state_cookie_prefix(r))
== cookie) {
char *cookieName = cookie;
while (cookie != NULL && *cookie !=
OIDC_CHAR_EQUAL)
cookie++;
@@ -784,6 +784,12 @@
number_of_valid_state_cookies++;
}
oidc_proto_state_destroy(proto_state);
+ } else {
+ oidc_warn(r,
+ "state
cookie could not be retrieved/decoded, deleting: %s",
+
cookieName);
+ oidc_util_set_cookie(r,
cookieName, "", 0,
+ NULL);
}
}
}
@@ -1077,7 +1083,8 @@
* won't redirect the user and thus avoid creating a state
cookie
* for a non-browser (= Javascript) call that will never return
from the OP
*/
- if (oidc_is_xml_http_request(r) == TRUE)
+ if ((oidc_dir_cfg_unauth_expr_is_set(r) == FALSE)
+ && (oidc_is_xml_http_request(r) == TRUE))
return HTTP_UNAUTHORIZED;
}
@@ -1419,8 +1426,8 @@
/*
* pass refresh_token, access_token and access_token_expires as
headers/environment variables to the application
*/
-static apr_byte_t oidc_session_pass_tokens_and_save(request_rec *r,
- oidc_cfg *cfg, oidc_session_t *session, apr_byte_t needs_save) {
+static apr_byte_t oidc_session_pass_tokens(request_rec *r,
+ oidc_cfg *cfg, oidc_session_t *session, apr_byte_t *needs_save)
{
apr_byte_t pass_headers = oidc_cfg_dir_pass_info_in_headers(r);
apr_byte_t pass_envvars = oidc_cfg_dir_pass_info_in_envvars(r);
@@ -1471,17 +1478,12 @@
slack = apr_time_from_sec(60);
if (session->expiry - now < interval - slack) {
session->expiry = now + interval;
- needs_save = TRUE;
+ *needs_save = TRUE;
}
/* log message about session expiry */
oidc_log_session_expires(r, "session inactivity timeout",
session->expiry);
- /* check if something was updated in the session and we need to save it
again */
- if (needs_save)
- if (oidc_session_save(r, session, FALSE) == FALSE)
- return FALSE;
-
return TRUE;
}
@@ -1533,7 +1535,7 @@
oidc_warn(r, "access_token could not be refreshed, logout=%d",
logout_on_error & OIDC_LOGOUT_ON_ERROR_REFRESH);
if (logout_on_error & OIDC_LOGOUT_ON_ERROR_REFRESH)
- return ERROR;
+ return OIDC_REFRESH_ERROR;
else
return FALSE;
}
@@ -1545,12 +1547,11 @@
* handle the case where we have identified an existing authentication session
for a user
*/
static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
- oidc_session_t *session) {
+ oidc_session_t *session, apr_byte_t *needs_save) {
- oidc_debug(r, "enter");
+ apr_byte_t rv = FALSE;
- /* track if the session needs to be updated/saved into the cache */
- apr_byte_t needs_save = FALSE;
+ oidc_debug(r, "enter");
/* set the user in the main request for further (incl. sub-request)
processing */
r->user = apr_pstrdup(r->pool, session->remote_user);
@@ -1571,15 +1572,20 @@
return rc;
/* if needed, refresh the access token */
- needs_save = oidc_refresh_access_token_before_expiry(r, cfg, session,
+ rv = oidc_refresh_access_token_before_expiry(r, cfg, session,
oidc_cfg_dir_refresh_access_token_before_expiry(r),
oidc_cfg_dir_logout_on_error_refresh(r));
- if (needs_save == ERROR)
+
+ if (rv == OIDC_REFRESH_ERROR) {
+ *needs_save = FALSE;
return oidc_handle_logout_request(r, cfg, session,
cfg->default_slo_url);
+ }
+
+ *needs_save |= rv;
/* if needed, refresh claims from the user info endpoint */
if (oidc_refresh_claims_from_userinfo_endpoint(r, cfg, session) == TRUE)
- needs_save = TRUE;
+ *needs_save = TRUE;
/*
* we're going to pass the information that we have to the application,
@@ -1654,8 +1660,8 @@
}
}
- /* pass the at, rt and at expiry to the application, possibly update
the session expiry and save the session */
- if (oidc_session_pass_tokens_and_save(r, cfg, session, needs_save) ==
FALSE)
+ /* pass the at, rt and at expiry to the application, possibly update
the session expiry */
+ if (oidc_session_pass_tokens(r, cfg, session, needs_save) == FALSE)
return HTTP_INTERNAL_SERVER_ERROR;
/* return "user authenticated" status */
@@ -3028,7 +3034,9 @@
oidc_cache_set_sid(r, sid, NULL, 0);
oidc_cache_set_session(r, uuid, NULL, 0);
- rc = OK;
+ // terminate with DONE instead of OK
+ // to avoid Apache returning auth/authz error 500 for the redirect URI
+ rc = DONE;
out:
@@ -3042,11 +3050,16 @@
jwt = NULL;
}
+ oidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_CACHE_CONTROL,
+ "no-cache, no-store");
+ oidc_util_hdr_err_out_add(r, OIDC_HTTP_HDR_PRAGMA, "no-cache");
+
return rc;
}
static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
- const char *url, char **err_str, char **err_desc) {
+ const char *url, apr_byte_t restrict_to_host, char **err_str,
+ char **err_desc) {
apr_uri_t uri;
const char *c_host = NULL;
apr_hash_index_t *hi = NULL;
@@ -3075,7 +3088,7 @@
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
}
- } else if (uri.hostname != NULL) {
+ } else if ((uri.hostname != NULL) && (restrict_to_host == TRUE)) {
c_host = oidc_get_current_url_host(r);
if ((strstr(c_host, uri.hostname) == NULL)
|| (strstr(uri.hostname, c_host) == NULL)) {
@@ -3154,7 +3167,7 @@
} else {
/* do input validation on the logout parameter value */
- if (oidc_validate_redirect_url(r, c, url, &error_str,
+ if (oidc_validate_redirect_url(r, c, url, TRUE, &error_str,
&error_description) == FALSE) {
return oidc_util_html_send_error(r, c->error_template,
error_str,
error_description,
@@ -3319,8 +3332,13 @@
if ((poll_interval <= 0) || (poll_interval > 3600 * 24))
poll_interval = 3000;
- char *login_uri = NULL;
+ char *login_uri = NULL, *error_str = NULL, *error_description = NULL;
oidc_util_get_request_parameter(r, "login_uri", &login_uri);
+ if ((login_uri != NULL)
+ && (oidc_validate_redirect_url(r, c, login_uri, FALSE,
&error_str,
+ &error_description) == FALSE)) {
+ return HTTP_BAD_REQUEST;
+ }
const char *redirect_uri = oidc_get_redirect_uri(r, c);
@@ -3415,6 +3433,7 @@
char *error_code = NULL;
char *error_str = NULL;
char *error_description = NULL;
+ apr_byte_t needs_save = TRUE;
/* get the command passed to the session management handler */
oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_REFRESH,
@@ -3430,7 +3449,7 @@
}
/* do input validation on the return to parameter value */
- if (oidc_validate_redirect_url(r, c, return_to, &error_str,
+ if (oidc_validate_redirect_url(r, c, return_to, TRUE, &error_str,
&error_description) == FALSE) {
oidc_error(r, "return_to URL validation failed: %s: %s",
error_str,
error_description);
@@ -3474,12 +3493,17 @@
goto end;
}
- /* pass the tokens to the application and save the session, possibly
updating the expiry */
- if (oidc_session_pass_tokens_and_save(r, c, session, TRUE) == FALSE) {
+ /* pass the tokens to the application, possibly updating the expiry */
+ if (oidc_session_pass_tokens(r, c, session, &needs_save) == FALSE) {
error_code = "session_corruption";
goto end;
}
+ if (oidc_session_save(r, session, FALSE) == FALSE) {
+ error_code = "error saving session";
+ goto end;
+ }
+
end:
/* pass optional error message to the return URL */
@@ -3549,9 +3573,8 @@
* handle request for session info
*/
static int oidc_handle_info_request(request_rec *r, oidc_cfg *c,
- oidc_session_t *session) {
+ oidc_session_t *session, apr_byte_t needs_save) {
int rc = HTTP_UNAUTHORIZED;
- apr_byte_t needs_save = FALSE;
char *s_format = NULL, *s_interval = NULL, *r_value = NULL;
oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_INFO,
&s_format);
@@ -3693,6 +3716,18 @@
json_string(refresh_token));
}
+ /* pass the tokens to the application and save the session, possibly
updating the expiry */
+ if (oidc_session_pass_tokens(r, c, session, &needs_save) == FALSE)
+ oidc_warn(r, "error passing tokens");
+
+ /* check if something was updated in the session and we need to save it
again */
+ if (needs_save) {
+ if (oidc_session_save(r, session, FALSE) == FALSE) {
+ oidc_warn(r, "error saving session");
+ rc = HTTP_INTERNAL_SERVER_ERROR;
+ }
+ }
+
if (apr_strnatcmp(OIDC_HOOK_INFO_FORMAT_JSON, s_format) == 0) {
/* JSON-encode the result */
r_value = oidc_util_encode_json_object(r, json, 0);
@@ -3709,12 +3744,6 @@
/* free the allocated resources */
json_decref(json);
- /* pass the tokens to the application and save the session, possibly
updating the expiry */
- if (oidc_session_pass_tokens_and_save(r, c, session, needs_save) ==
FALSE) {
- oidc_warn(r, "error saving session");
- rc = HTTP_INTERNAL_SERVER_ERROR;
- }
-
return rc;
}
@@ -3724,6 +3753,9 @@
int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
oidc_session_t *session) {
+ /* track if the session needs to be updated/saved into the cache */
+ apr_byte_t needs_save = FALSE;
+
if (oidc_proto_is_redirect_authorization_response(r, c)) {
/* this is an authorization response from the OP using the
Basic Client profile or a Hybrid flow*/
@@ -3789,11 +3821,11 @@
return HTTP_UNAUTHORIZED;
/* set r->user, set headers/env-vars, update expiry, update
userinfo + AT */
- int rc = oidc_handle_existing_session(r, c, session);
+ int rc = oidc_handle_existing_session(r, c, session,
&needs_save);
if (rc != OK)
return rc;
- return oidc_handle_info_request(r, c, session);
+ return oidc_handle_info_request(r, c, session, needs_save);
} else if ((r->args == NULL) || (apr_strnatcmp(r->args, "") == 0)) {
@@ -3845,6 +3877,7 @@
if (ap_is_initial_req(r)) {
int rc = OK;
+ apr_byte_t needs_save = FALSE;
/* load the session from the request state; this will be a new
"empty" session if no state exists */
oidc_session_t *session = NULL;
@@ -3865,7 +3898,17 @@
} else if (session->remote_user != NULL) {
/* this is initial request and we already have a
session */
- rc = oidc_handle_existing_session(r, c, session);
+ rc = oidc_handle_existing_session(r, c, session,
&needs_save);
+ if (rc == OK) {
+
+ /* check if something was updated in the
session and we need to save it again */
+ if (needs_save) {
+ if (oidc_session_save(r, session,
FALSE) == FALSE) {
+ oidc_warn(r, "error saving
session");
+ rc = HTTP_INTERNAL_SERVER_ERROR;
+ }
+ }
+ }
/* free resources allocated for the session */
oidc_session_free(r, session);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/mod_auth_openidc.h
new/mod_auth_openidc-2.4.4/src/mod_auth_openidc.h
--- old/mod_auth_openidc-2.4.3/src/mod_auth_openidc.h 2020-06-10
18:14:24.000000000 +0200
+++ new/mod_auth_openidc-2.4.4/src/mod_auth_openidc.h 2020-09-01
12:17:38.000000000 +0200
@@ -164,9 +164,6 @@
#define OIDC_AUTH_REQUEST_METHOD_GET 0
#define OIDC_AUTH_REQUEST_METHOD_POST 1
-/* prefix of the cookie that binds the state in the authorization
request/response to the browser */
-#define OIDC_STATE_COOKIE_PREFIX "mod_auth_openidc_state_"
-
/* default prefix for information passed in HTTP headers */
#define OIDC_DEFAULT_HEADER_PREFIX "OIDC_"
@@ -715,6 +712,7 @@
apr_array_header_t *oidc_dir_cfg_pass_cookies(request_rec *r);
apr_array_header_t *oidc_dir_cfg_strip_cookies(request_rec *r);
int oidc_dir_cfg_unauth_action(request_rec *r);
+apr_byte_t oidc_dir_cfg_unauth_expr_is_set(request_rec *r);
int oidc_dir_cfg_unautz_action(request_rec *r);
char *oidc_dir_cfg_path_auth_request_params(request_rec *r);
char *oidc_dir_cfg_path_scope(request_rec *r);
@@ -726,6 +724,7 @@
int oidc_cfg_max_number_of_state_cookies(oidc_cfg *cfg);
int oidc_cfg_dir_refresh_access_token_before_expiry(request_rec *r);
int oidc_cfg_dir_logout_on_error_refresh(request_rec *r);
+char *oidc_cfg_dir_state_cookie_prefix(request_rec *r);
int oidc_cfg_delete_oldest_state_cookies(oidc_cfg *cfg);
void oidc_cfg_provider_init(oidc_provider_t *provider);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/proto.c
new/mod_auth_openidc-2.4.4/src/proto.c
--- old/mod_auth_openidc-2.4.3/src/proto.c 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/src/proto.c 2020-09-01 12:17:38.000000000
+0200
@@ -2311,7 +2311,7 @@
apr_table_t *params = apr_table_make(r->pool, 4);
apr_table_setn(params, OIDC_PROTO_ACCESS_TOKEN, access_token);
if (oidc_util_http_post_form(r,
provider->userinfo_endpoint_url, params,
- NULL, access_token,
provider->ssl_validate_server, response,
+ NULL, NULL, provider->ssl_validate_server,
response,
cfg->http_timeout_long, cfg->outgoing_proxy,
oidc_dir_cfg_pass_cookies(r), NULL, NULL) ==
FALSE)
return FALSE;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/session.c
new/mod_auth_openidc-2.4.4/src/session.c
--- old/mod_auth_openidc-2.4.3/src/session.c 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/src/session.c 2020-09-01 12:17:38.000000000
+0200
@@ -118,7 +118,7 @@
* clear contents of a session
*/
static void oidc_session_clear(request_rec *r, oidc_session_t *z) {
- strncpy(z->uuid, "", strlen(""));
+ z->uuid[0] = '\0';
z->remote_user = NULL;
// NB: don't clear sid
z->expiry = 0;
@@ -138,7 +138,8 @@
if ((rc == TRUE) && (s_json != NULL)) {
rc = oidc_session_decode(r, c, z, s_json, FALSE);
if (rc == TRUE) {
- strncpy(z->uuid, uuid, strlen(uuid));
+ strncpy(z->uuid, uuid, APR_UUID_FORMATTED_LENGTH);
+ z->uuid[APR_UUID_FORMATTED_LENGTH] = '\0';
/* compare the session id in the cache value so it
allows us to detect cache corruption */
oidc_session_get(r, z, OIDC_SESSION_SESSION_ID,
&stored_uuid);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/src/util.c
new/mod_auth_openidc-2.4.4/src/util.c
--- old/mod_auth_openidc-2.4.3/src/util.c 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/src/util.c 2020-09-01 12:17:38.000000000
+0200
@@ -1562,9 +1562,12 @@
const char *content_type = NULL;
content_type = oidc_util_hdr_in_content_type_get(r);
- if ((r->method_number != M_POST) || (apr_strnatcmp(content_type,
- OIDC_CONTENT_TYPE_FORM_ENCODED) != 0))
+ if ((r->method_number != M_POST) || (strstr(content_type,
+ OIDC_CONTENT_TYPE_FORM_ENCODED) != content_type)) {
+ oidc_debug(r, "required content-type %s not found",
+ OIDC_CONTENT_TYPE_FORM_ENCODED);
goto end;
+ }
if (oidc_util_read(r, &data) != TRUE)
goto end;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/test/stub.c
new/mod_auth_openidc-2.4.4/test/stub.c
--- old/mod_auth_openidc-2.4.3/test/stub.c 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/test/stub.c 2020-09-01 12:17:38.000000000
+0200
@@ -167,6 +167,7 @@
return 0;
}
+#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
AP_DECLARE(ap_expr_info_t *) ap_expr_parse_cmd_mi(const cmd_parms *cmd, const
char *expr,
unsigned int flags, const char **err, ap_expr_lookup_fn_t
*lookup_fn,
int module_index) {
@@ -179,7 +180,6 @@
return expr->filename;
}
-#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
AP_DECLARE(void) ap_log_error_(const char *file, int line, int module_index,
int level, apr_status_t status, const server_rec *s, const char
*fmt,
...) {
@@ -297,3 +297,9 @@
ap_filter_type ftype) {
return NULL;
}
+
+ AP_DECLARE(int) ap_expr_exec(request_rec *r, const
ap_expr_info_t *expr,
+ const char **err) {
+ return 0;
+ }
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.3/test/test.c
new/mod_auth_openidc-2.4.4/test/test.c
--- old/mod_auth_openidc-2.4.3/test/test.c 2020-06-10 18:14:24.000000000
+0200
+++ new/mod_auth_openidc-2.4.4/test/test.c 2020-09-01 12:17:38.000000000
+0200
@@ -67,7 +67,7 @@
extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
static int test_nr_run = 0;
-static char TST_ERR_MSG[512];
+static char TST_ERR_MSG[4096];
static int TST_RC;
#define TST_FORMAT(fmt) \
