Restoring...
\n" " \n"; return oidc_util_html_send(r, "Restoring...", java_script, "postOnLoad", html_body, DONE); } /* * redirect the browser to the session logout endpoint */ static int oidc_session_redirect_parent_window_to_logout(request_rec *r, oidc_cfg *c) { oidc_debug(r, "enter"); char *java_script = apr_psprintf(r->pool, " \n", c->redirect_uri); return oidc_util_html_send(r, "Redirecting...", java_script, NULL, NULL, DONE); } /* * handle an error returned by the OP */ static int oidc_authorization_response_error(request_rec *r, oidc_cfg *c, json_t *proto_state, const char *error, const char *error_description) { const char *prompt = json_object_get(proto_state, "prompt") ? apr_pstrdup(r->pool, json_string_value( json_object_get(proto_state, "prompt"))) : NULL; json_decref(proto_state); if ((prompt != NULL) && (apr_strnatcmp(prompt, "none") == 0)) { return oidc_session_redirect_parent_window_to_logout(r, c); } return oidc_util_html_send_error(r, apr_psprintf(r->pool, "The OpenID Connect Provider returned an error: %s", error), error_description, DONE); } /* * store the access token expiry timestamp in the session, based on the expires_in */ static void oidc_store_access_token_expiry(request_rec *r, session_rec *session, int expires_in) { if (expires_in != -1) { oidc_session_set(r, session, OIDC_ACCESSTOKEN_EXPIRES_SESSION_KEY, apr_psprintf(r->pool, "%" APR_TIME_T_FMT, apr_time_sec(apr_time_now()) + expires_in)); } } /* * set the unique user identifier that will be propagated in the Apache r->user and REMOTE_USER variables */ static apr_byte_t oidc_get_remote_user(request_rec *r, oidc_cfg *c, oidc_provider_t *provider, apr_jwt_t *jwt, char **user) { char *issuer = provider->issuer; char *claim_name = apr_pstrdup(r->pool, c->remote_user_claim.claim_name); int n = strlen(claim_name); int post_fix_with_issuer = (claim_name[n - 1] == '@'); if (post_fix_with_issuer) { claim_name[n - 1] = '\0'; issuer = (strstr(issuer, "https://") == NULL) ? apr_pstrdup(r->pool, issuer) : apr_pstrdup(r->pool, issuer + strlen("https://")); } /* extract the username claim (default: "sub") from the id_token payload */ char *username = NULL; if (apr_jwt_get_string(r->pool, jwt->payload.value.json, claim_name, TRUE, &username, NULL) == FALSE) { oidc_error(r, "OIDCRemoteUserClaim is set to \"%s\", but the id_token JSON payload did not contain a \"%s\" string", c->remote_user_claim.claim_name, claim_name); *user = NULL; return FALSE; } /* set the unique username in the session (will propagate to r->user/REMOTE_USER) */ *user = post_fix_with_issuer ? apr_psprintf(r->pool, "%s@%s", username, issuer) : apr_pstrdup(r->pool, username); if (c->remote_user_claim.reg_exp != NULL) { char *error_str = NULL; if (oidc_util_regexp_first_match(r->pool, *user, c->remote_user_claim.reg_exp, user, &error_str) == FALSE) { oidc_error(r, "oidc_util_regexp_first_match failed: %s", error_str); *user = NULL; return FALSE; } } oidc_debug(r, "set user to \"%s\"", *user); return TRUE; } /* * store resolved information in the session */ static void oidc_save_in_session(request_rec *r, oidc_cfg *c, session_rec *session, oidc_provider_t *provider, const char *remoteUser, const char *id_token, apr_jwt_t *id_token_jwt, const char *claims, const char *access_token, const int expires_in, const char *refresh_token, const char *session_state, const char *state, const char *original_url) { /* store the user in the session */ session->remote_user = remoteUser; /* set the session expiry to the inactivity timeout */ session->expiry = apr_time_now() + apr_time_from_sec(c->session_inactivity_timeout); /* store the claims payload in the id_token for later reference */ oidc_session_set(r, session, OIDC_IDTOKEN_CLAIMS_SESSION_KEY, id_token_jwt->payload.value.str); /* store the compact serialized representation of the id_token for later reference */ oidc_session_set(r, session, OIDC_IDTOKEN_SESSION_KEY, id_token); /* store the issuer in the session (at least needed for session mgmt and token refresh */ oidc_session_set(r, session, OIDC_ISSUER_SESSION_KEY, provider->issuer); /* store the state and original URL in the session for handling browser-back more elegantly */ oidc_session_set(r, session, OIDC_REQUEST_STATE_SESSION_KEY, state); oidc_session_set(r, session, OIDC_REQUEST_ORIGINAL_URL, original_url); if ((session_state != NULL) && (provider->check_session_iframe != NULL)) { /* store the session state and required parameters session management */ oidc_session_set(r, session, OIDC_SESSION_STATE_SESSION_KEY, session_state); oidc_session_set(r, session, OIDC_CHECK_IFRAME_SESSION_KEY, provider->check_session_iframe); oidc_session_set(r, session, OIDC_CLIENTID_SESSION_KEY, provider->client_id); } if (provider->end_session_endpoint != NULL) oidc_session_set(r, session, OIDC_LOGOUT_ENDPOINT_SESSION_KEY, provider->end_session_endpoint); /* see if we've resolved any claims */ if (claims != NULL) { /* * Successfully decoded a set claims from the response so we can store them * (well actually the stringified representation in the response) * in the session context safely now */ oidc_session_set(r, session, OIDC_CLAIMS_SESSION_KEY, claims); } /* see if we have an access_token */ if (access_token != NULL) { /* store the access_token in the session context */ oidc_session_set(r, session, OIDC_ACCESSTOKEN_SESSION_KEY, access_token); /* store the associated expires_in value */ oidc_store_access_token_expiry(r, session, expires_in); } /* see if we have a refresh_token */ if (refresh_token != NULL) { /* store the refresh_token in the session context */ oidc_session_set(r, session, OIDC_REFRESHTOKEN_SESSION_KEY, refresh_token); } /* store max session duration in the session as a hard cut-off expiry timestamp */ apr_time_t session_expires = (provider->session_max_duration == 0) ? apr_time_from_sec(id_token_jwt->payload.exp) : (apr_time_now() + apr_time_from_sec(provider->session_max_duration)); oidc_session_set(r, session, OIDC_SESSION_EXPIRES_SESSION_KEY, apr_psprintf(r->pool, "%" APR_TIME_T_FMT, session_expires)); /* log message about max session duration */ oidc_log_session_expires(r, session_expires); /* store the session */ oidc_session_save(r, session); } /* * parse the expiry for the access token */ static int oidc_parse_expires_in(request_rec *r, const char *expires_in) { if (expires_in != NULL) { char *ptr = NULL; long number = strtol(expires_in, &ptr, 10); if (number <= 0) { oidc_warn(r, "could not convert \"expires_in\" value (%s) to a number", expires_in); return -1; } return number; } return -1; } /* * handle the different flows (hybrid, implicit, Authorization Code) */ static apr_byte_t oidc_handle_flows(request_rec *r, oidc_cfg *c, json_t *proto_state, oidc_provider_t *provider, apr_table_t *params, const char *response_mode, apr_jwt_t **jwt) { apr_byte_t rc = FALSE; const char *requested_response_type = json_string_value( json_object_get(proto_state, "response_type")); /* handle the requested response type/mode */ if (oidc_util_spaced_string_equals(r->pool, requested_response_type, "code id_token token")) { rc = oidc_proto_authorization_response_code_idtoken_token(r, c, proto_state, provider, params, response_mode, jwt); } else if (oidc_util_spaced_string_equals(r->pool, requested_response_type, "code id_token")) { rc = oidc_proto_authorization_response_code_idtoken(r, c, proto_state, provider, params, response_mode, jwt); } else if (oidc_util_spaced_string_equals(r->pool, requested_response_type, "code token")) { rc = oidc_proto_handle_authorization_response_code_token(r, c, proto_state, provider, params, response_mode, jwt); } else if (oidc_util_spaced_string_equals(r->pool, requested_response_type, "code")) { rc = oidc_proto_handle_authorization_response_code(r, c, proto_state, provider, params, response_mode, jwt); } else if (oidc_util_spaced_string_equals(r->pool, requested_response_type, "id_token token")) { rc = oidc_proto_handle_authorization_response_idtoken_token(r, c, proto_state, provider, params, response_mode, jwt); } else if (oidc_util_spaced_string_equals(r->pool, requested_response_type, "id_token")) { rc = oidc_proto_handle_authorization_response_idtoken(r, c, proto_state, provider, params, response_mode, jwt); } else { oidc_error(r, "unsupported response type: \"%s\"", requested_response_type); } if ((rc == FALSE) && (*jwt != NULL)) { apr_jwt_destroy(*jwt); *jwt = NULL; } return rc; } /* * resolves claims from the user info endpoint and returns the stringified response */ static const char *oidc_resolve_claims_from_user_info_endpoint(request_rec *r, oidc_cfg *c, oidc_provider_t *provider, apr_table_t *params) { const char *result = NULL; if (provider->userinfo_endpoint_url == NULL) { oidc_debug(r, "not resolving user info claims because userinfo_endpoint is not set"); } else if (apr_table_get(params, "access_token") == NULL) { oidc_debug(r, "not resolving user info claims because access_token is not provided"); } else if (oidc_proto_resolve_userinfo(r, c, provider, apr_table_get(params, "access_token"), &result) == FALSE) { oidc_debug(r, "resolving user info claims failed, nothing will be stored in the session"); result = NULL; } return result; } /* handle the browser back on an authorization response */ static apr_byte_t oidc_handle_browser_back(request_rec *r, const char *r_state, session_rec *session) { /* see if we have an existing session and browser-back was used */ const char *s_state = NULL, *o_url = NULL; if (session->remote_user != NULL) { oidc_session_get(r, session, OIDC_REQUEST_STATE_SESSION_KEY, &s_state); oidc_session_get(r, session, OIDC_REQUEST_ORIGINAL_URL, &o_url); if ((r_state != NULL) && (s_state != NULL) && (apr_strnatcmp(r_state, s_state) == 0)) { /* log the browser back event detection */ oidc_warn(r, "browser back detected, redirecting to original URL: %s", o_url); /* go back to the URL that he originally tried to access */ apr_table_add(r->headers_out, "Location", o_url); return TRUE; } } return FALSE; } /* * complete the handling of an authorization response by obtaining, parsing and verifying the * id_token and storing the authenticated user state in the session */ static int oidc_handle_authorization_response(request_rec *r, oidc_cfg *c, session_rec *session, apr_table_t *params, const char *response_mode) { oidc_debug(r, "enter, response_mode=%s", response_mode); oidc_provider_t *provider = NULL; json_t *proto_state = NULL; apr_jwt_t *jwt = NULL; /* see if this response came from a browser-back event */ if (oidc_handle_browser_back(r, apr_table_get(params, "state"), session) == TRUE) return HTTP_MOVED_TEMPORARILY; /* match the returned state parameter against the state stored in the browser */ if (oidc_authorization_response_match_state(r, c, apr_table_get(params, "state"), &provider, &proto_state) == FALSE) { if (c->default_sso_url != NULL) { oidc_warn(r, "invalid authorization response state; a default SSO URL is set, sending the user there: %s", c->default_sso_url); apr_table_add(r->headers_out, "Location", c->default_sso_url); return HTTP_MOVED_TEMPORARILY; } oidc_error(r, "invalid authorization response state and no default SSO URL is set, sending an error..."); return HTTP_INTERNAL_SERVER_ERROR; } /* see if the response is an error response */ if (apr_table_get(params, "error") != NULL) return oidc_authorization_response_error(r, c, proto_state, apr_table_get(params, "error"), apr_table_get(params, "error_description")); /* handle the code, implicit or hybrid flow */ if (oidc_handle_flows(r, c, proto_state, provider, params, response_mode, &jwt) == FALSE) return oidc_authorization_response_error(r, c, proto_state, "Error in handling response type.", NULL); if (jwt == NULL) { oidc_error(r, "no id_token was provided"); return oidc_authorization_response_error(r, c, proto_state, "No id_token was provided.", NULL); } int expires_in = oidc_parse_expires_in(r, apr_table_get(params, "expires_in")); /* * optionally resolve additional claims against the userinfo endpoint * parsed claims are not actually used here but need to be parsed anyway for error checking purposes */ const char *claims = oidc_resolve_claims_from_user_info_endpoint(r, c, provider, params); /* restore the original protected URL that the user was trying to access */ const char *original_url = apr_pstrdup(r->pool, json_string_value(json_object_get(proto_state, "original_url"))); const char *original_method = apr_pstrdup(r->pool, json_string_value(json_object_get(proto_state, "original_method"))); /* set the user */ if (oidc_get_remote_user(r, c, provider, jwt, &r->user) == TRUE) { /* session management: if the user in the new response is not equal to the old one, error out */ if ((json_object_get(proto_state, "prompt") != NULL) && (apr_strnatcmp( json_string_value( json_object_get(proto_state, "prompt")), "none") == 0)) { // TOOD: actually need to compare sub? (need to store it in the session separately then //const char *sub = NULL; //oidc_session_get(r, session, "sub", &sub); //if (apr_strnatcmp(sub, jwt->payload.sub) != 0) { if (apr_strnatcmp(session->remote_user, r->user) != 0) { oidc_warn(r, "user set from new id_token is different from current one"); apr_jwt_destroy(jwt); return oidc_authorization_response_error(r, c, proto_state, "User changed!", NULL); } } /* store resolved information in the session */ oidc_save_in_session(r, c, session, provider, r->user, apr_table_get(params, "id_token"), jwt, claims, apr_table_get(params, "access_token"), expires_in, apr_table_get(params, "refresh_token"), apr_table_get(params, "session_state"), apr_table_get(params, "state"), original_url); } else { oidc_error(r, "remote user could not be set"); return oidc_authorization_response_error(r, c, proto_state, "Remote user could not be set: contact the website administrator", NULL); } /* cleanup */ json_decref(proto_state); apr_jwt_destroy(jwt); /* check that we've actually authenticated a user; functions as error handling for oidc_get_remote_user */ if (r->user == NULL) return HTTP_UNAUTHORIZED; /* check whether form post data was preserved; if so restore it */ if (apr_strnatcmp(original_method, "form_post") == 0) { return oidc_restore_preserved_post(r, original_url); } /* log the successful response */ oidc_debug(r, "session created and stored, redirecting to original URL: %s", original_url); /* now we've authenticated the user so go back to the URL that he originally tried to access */ apr_table_add(r->headers_out, "Location", original_url); /* do the actual redirect to the original URL */ return HTTP_MOVED_TEMPORARILY; } /* * handle an OpenID Connect Authorization Response using the POST (+fragment->POST) response_mode */ static int oidc_handle_post_authorization_response(request_rec *r, oidc_cfg *c, session_rec *session) { oidc_debug(r, "enter"); /* initialize local variables */ char *response_mode = NULL; /* read the parameters that are POST-ed to us */ apr_table_t *params = apr_table_make(r->pool, 8); if (oidc_util_read_post_params(r, params) == FALSE) { oidc_error(r, "something went wrong when reading the POST parameters"); return HTTP_INTERNAL_SERVER_ERROR; } /* see if we've got any POST-ed data at all */ if ((apr_table_elts(params)->nelts < 1) || ((apr_table_elts(params)->nelts == 1) && (apr_strnatcmp(apr_table_get(params, "response_mode"), "fragment") == 0))) { return oidc_util_html_send_error(r, "mod_auth_openidc", "You've hit an OpenID Connect Redirect URI with no parameters, this is an invalid request; you should not open this URL in your browser directly, or have the server administrator use a different OIDCRedirectURI setting.", HTTP_INTERNAL_SERVER_ERROR); } /* get the parameters */ response_mode = (char *) apr_table_get(params, "response_mode"); /* do the actual implicit work */ return oidc_handle_authorization_response(r, c, session, params, response_mode ? response_mode : "form_post"); } /* * handle an OpenID Connect Authorization Response using the redirect response_mode */ static int oidc_handle_redirect_authorization_response(request_rec *r, oidc_cfg *c, session_rec *session) { oidc_debug(r, "enter"); /* read the parameters from the query string */ apr_table_t *params = apr_table_make(r->pool, 8); oidc_util_read_form_encoded_params(r, params, r->args); /* do the actual work */ return oidc_handle_authorization_response(r, c, session, params, "query"); } /* * present the user with an OP selection screen */ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { oidc_debug(r, "enter"); oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, &auth_openidc_module); /* obtain the URL we're currently accessing, to be stored in the state/session */ char *current_url = oidc_get_current_url(r, cfg); /* generate CSRF token */ char *csrf = NULL; if (oidc_proto_generate_nonce(r, &csrf, 8) == FALSE) return HTTP_INTERNAL_SERVER_ERROR; /* see if there's an external discovery page configured */ if (dir_cfg->discover_url != NULL) { /* yes, assemble the parameters for external discovery */ char *url = apr_psprintf(r->pool, "%s%s%s=%s&%s=%s&%s=%s", dir_cfg->discover_url, strchr(dir_cfg->discover_url, '?') != NULL ? "&" : "?", OIDC_DISC_RT_PARAM, oidc_util_escape_string(r, current_url), OIDC_DISC_CB_PARAM, oidc_util_escape_string(r, cfg->redirect_uri), OIDC_CSRF_NAME, oidc_util_escape_string(r, csrf)); /* log what we're about to do */ oidc_debug(r, "redirecting to external discovery page: %s", url); /* set CSRF cookie */ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1); /* do the actual redirect to an external discovery page */ apr_table_add(r->headers_out, "Location", url); return HTTP_MOVED_TEMPORARILY; } /* get a list of all providers configured in the metadata directory */ apr_array_header_t *arr = NULL; if (oidc_metadata_list(r, cfg, &arr) == FALSE) return oidc_util_html_send_error(r, "mod_auth_openidc", "No configured providers found, contact your administrator", HTTP_UNAUTHORIZED); /* assemble a where-are-you-from IDP discovery HTML page */ const char *s = "Logged Out
", DONE); } /* see if we don't need to go somewhere special after killing the session locally */ if (url == NULL) return oidc_util_html_send(r, "Logged Out", NULL, NULL, "Logged Out
", DONE); /* send the user to the specified where-to-go-after-logout URL */ apr_table_add(r->headers_out, "Location", url); return HTTP_MOVED_TEMPORARILY; } /* * perform (single) logout */ static int oidc_handle_logout(request_rec *r, oidc_cfg *c, session_rec *session) { /* pickup the command or URL where the user wants to go after logout */ char *url = NULL; oidc_util_get_request_parameter(r, "logout", &url); oidc_debug(r, "enter (url=%s)", url); if (oidc_is_get_style_logout(url)) { return oidc_handle_logout_request(r, c, session, url); } if ((url == NULL) || (apr_strnatcmp(url, "") == 0)) { url = c->default_slo_url; } else { /* do input validation on the logout parameter value */ const char *error_description = NULL; apr_uri_t uri; if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { const char *error_description = apr_psprintf(r->pool, "Logout URL malformed: %s", url); oidc_error(r, "%s", error_description); return oidc_util_html_send_error(r, url, error_description, HTTP_INTERNAL_SERVER_ERROR); } if ((strstr(r->hostname, uri.hostname) == NULL) || (strstr(uri.hostname, r->hostname) == NULL)) { error_description = apr_psprintf(r->pool, "logout value \"%s\" does not match the hostname of the current request \"%s\"", apr_uri_unparse(r->pool, &uri, 0), r->hostname); oidc_error(r, "%s", error_description); return oidc_util_html_send_error(r, url, error_description, HTTP_INTERNAL_SERVER_ERROR); } /* validate the URL to prevent HTTP header splitting */ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { error_description = apr_psprintf(r->pool, "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", url); oidc_error(r, "%s", error_description); return oidc_util_html_send_error(r, url, error_description, HTTP_INTERNAL_SERVER_ERROR); } } const char *end_session_endpoint = NULL; oidc_session_get(r, session, OIDC_LOGOUT_ENDPOINT_SESSION_KEY, &end_session_endpoint); if (end_session_endpoint != NULL) { const char *id_token_hint = NULL; oidc_session_get(r, session, OIDC_IDTOKEN_SESSION_KEY, &id_token_hint); char *logout_request = apr_psprintf(r->pool, "%s%s", end_session_endpoint, strchr(end_session_endpoint, '?') != NULL ? "&" : "?"); logout_request = apr_psprintf(r->pool, "%sid_token_hint=%s", logout_request, oidc_util_escape_string(r, id_token_hint)); if (url != NULL) { logout_request = apr_psprintf(r->pool, "%s&post_logout_redirect_uri=%s", logout_request, oidc_util_escape_string(r, url)); } url = logout_request; } return oidc_handle_logout_request(r, c, session, url); } /* * handle request for JWKs */ int oidc_handle_jwks(request_rec *r, oidc_cfg *c) { /* pickup requested JWKs type */ // char *jwks_type = NULL; // oidc_util_get_request_parameter(r, "jwks", &jwks_type); char *jwks = apr_pstrdup(r->pool, "{ \"keys\" : ["); apr_hash_index_t *hi = NULL; apr_byte_t first = TRUE; apr_jwt_error_t err; if (c->public_keys != NULL) { /* loop over the RSA public keys */ for (hi = apr_hash_first(r->pool, c->public_keys); hi; hi = apr_hash_next(hi)) { const char *s_kid = NULL; apr_jwk_t *jwk = NULL; char *s_json = NULL; apr_hash_this(hi, (const void**) &s_kid, NULL, (void**) &jwk); if (apr_jwk_to_json(r->pool, jwk, &s_json, &err) == TRUE) { jwks = apr_psprintf(r->pool, "%s%s %s ", jwks, first ? "" : ",", s_json); first = FALSE; } else { oidc_error(r, "could not convert RSA JWK to JSON using apr_jwk_to_json: %s", apr_jwt_e2s(r->pool, err)); } } } // TODO: send stuff if first == FALSE? jwks = apr_psprintf(r->pool, "%s ] }", jwks); return oidc_util_http_send(r, jwks, strlen(jwks), "application/json", DONE); } static int oidc_handle_session_management_iframe_op(request_rec *r, oidc_cfg *c, session_rec *session, const char *check_session_iframe) { oidc_debug(r, "enter"); if (check_session_iframe == NULL) { oidc_debug(r, "no check_session_iframe configured for current OP"); return DONE; } apr_table_add(r->headers_out, "Location", check_session_iframe); return HTTP_MOVED_TEMPORARILY; } static int oidc_handle_session_management_iframe_rp(request_rec *r, oidc_cfg *c, session_rec *session, const char *client_id, const char *check_session_iframe) { oidc_debug(r, "enter"); const char *java_script = " \n"; /* determine the origin for the check_session_iframe endpoint */ char *origin = apr_pstrdup(r->pool, check_session_iframe); apr_uri_t uri; apr_uri_parse(r->pool, check_session_iframe, &uri); char *p = strstr(origin, uri.path); *p = '\0'; /* the element identifier for the OP iframe */ const char *op_iframe_id = "openidc-op"; /* restore the OP session_state from the session */ const char *session_state = NULL; oidc_session_get(r, session, OIDC_SESSION_STATE_SESSION_KEY, &session_state); if (session_state == NULL) { oidc_warn(r, "no session_state found in the session; the OP does probably not support session management!?"); return DONE; } char *s_poll_interval = NULL; oidc_util_get_request_parameter(r, "poll", &s_poll_interval); if (s_poll_interval == NULL) s_poll_interval = "3000"; java_script = apr_psprintf(r->pool, java_script, origin, client_id, session_state, op_iframe_id, s_poll_interval, c->redirect_uri, c->redirect_uri); return oidc_util_html_send(r, NULL, java_script, "setTimer", NULL, DONE); } /* * handle session management request */ static int oidc_handle_session_management(request_rec *r, oidc_cfg *c, session_rec *session) { char *cmd = NULL; const char *issuer = NULL, *id_token_hint = NULL, *client_id = NULL, *check_session_iframe = NULL; oidc_provider_t *provider = NULL; /* get the command passed to the session management handler */ oidc_util_get_request_parameter(r, "session", &cmd); if (cmd == NULL) { oidc_error(r, "session management handler called with no command"); return HTTP_INTERNAL_SERVER_ERROR; } /* see if this is a local logout during session management */ if (apr_strnatcmp("logout", cmd) == 0) { oidc_debug(r, "[session=logout] calling oidc_handle_logout_request because of session mgmt local logout call."); return oidc_handle_logout_request(r, c, session, c->default_slo_url); } /* see if this is a request for the OP iframe */ if (apr_strnatcmp("iframe_op", cmd) == 0) { oidc_session_get(r, session, OIDC_CHECK_IFRAME_SESSION_KEY, &check_session_iframe); if (check_session_iframe != NULL) { return oidc_handle_session_management_iframe_op(r, c, session, check_session_iframe); } return DONE; } /* see if this is a request for the RP iframe */ if (apr_strnatcmp("iframe_rp", cmd) == 0) { oidc_session_get(r, session, OIDC_CLIENTID_SESSION_KEY, &client_id); oidc_session_get(r, session, OIDC_CHECK_IFRAME_SESSION_KEY, &check_session_iframe); if ((client_id != NULL) && (check_session_iframe != NULL)) { return oidc_handle_session_management_iframe_rp(r, c, session, client_id, check_session_iframe); } return DONE; } /* see if this is a request check the login state with the OP */ if (apr_strnatcmp("check", cmd) == 0) { oidc_session_get(r, session, OIDC_IDTOKEN_SESSION_KEY, &id_token_hint); oidc_session_get(r, session, OIDC_ISSUER_SESSION_KEY, &issuer); if (issuer != NULL) provider = oidc_get_provider_for_issuer(r, c, issuer, FALSE); if ((id_token_hint != NULL) && (provider != NULL)) { return oidc_authenticate_user(r, c, provider, apr_psprintf(r->pool, "%s?session=iframe_rp", c->redirect_uri), NULL, id_token_hint, "none", NULL); } oidc_debug(r, "[session=check] calling oidc_handle_logout_request because no session found."); return oidc_session_redirect_parent_window_to_logout(r, c); } /* handle failure in fallthrough */ oidc_error(r, "unknown command: %s", cmd); return HTTP_INTERNAL_SERVER_ERROR; } /* * handle refresh token request */ static int oidc_handle_refresh_token_request(request_rec *r, oidc_cfg *c, session_rec *session) { char *return_to = NULL; char *r_access_token = NULL; char *error_code = NULL; /* get the command passed to the session management handler */ oidc_util_get_request_parameter(r, "refresh", &return_to); oidc_util_get_request_parameter(r, "access_token", &r_access_token); /* check the input parameters */ if (return_to == NULL) { oidc_error(r, "refresh token request handler called with no URL to return to"); return HTTP_INTERNAL_SERVER_ERROR; } if (r_access_token == NULL) { oidc_error(r, "refresh token request handler called with no access_token parameter"); error_code = "no_access_token"; goto end; } char *s_access_token = NULL; oidc_session_get(r, session, OIDC_ACCESSTOKEN_SESSION_KEY, (const char **) &s_access_token); if (s_access_token == NULL) { oidc_error(r, "no existing access_token found in the session, nothing to refresh"); error_code = "no_access_token_exists"; goto end; } /* compare the access_token parameter used for XSRF protection */ if (apr_strnatcmp(s_access_token, r_access_token) != 0) { oidc_error(r, "access_token passed in refresh request does not match the one stored in the session"); error_code = "no_access_token_match"; goto end; } s_access_token = NULL; /* get the refresh token that was stored in the session */ const char *refresh_token = NULL; oidc_session_get(r, session, OIDC_REFRESHTOKEN_SESSION_KEY, &refresh_token); if (refresh_token == NULL) { oidc_warn(r, "refresh token request handler called but no refresh_token was found in the session"); error_code = "no_refresh_token_exists"; goto end; } /* get a handle to the provider configuration */ const char *issuer = NULL; oidc_provider_t *provider = NULL; oidc_session_get(r, session, OIDC_ISSUER_SESSION_KEY, &issuer); if (issuer == NULL) { oidc_error(r, "session corrupted: no issuer found in session"); error_code = "session_corruption"; goto end; } provider = oidc_get_provider_for_issuer(r, c, issuer, FALSE); if (provider == NULL) { oidc_error(r, "session corrupted: no provider found for issuer: %s", issuer); error_code = "session_corruption"; goto end; } /* elements returned in the refresh response */ char *s_id_token = NULL; int expires_in = -1; char *s_token_type = NULL; char *s_refresh_token = NULL; /* refresh the tokens by calling the token endpoint */ if (oidc_proto_refresh_request(r, c, provider, refresh_token, &s_id_token, &s_access_token, &s_token_type, &expires_in, &s_refresh_token) == FALSE) { oidc_error(r, "access_token could not be refreshed"); error_code = "refresh_failed"; goto end; } /* store the new access_token in the session and discard the old one */ oidc_session_set(r, session, OIDC_ACCESSTOKEN_SESSION_KEY, s_access_token); oidc_store_access_token_expiry(r, session, expires_in); /* if we have a new refresh token (rolling refresh), store it in the session and overwrite the old one */ if (s_refresh_token != NULL) oidc_session_set(r, session, OIDC_REFRESHTOKEN_SESSION_KEY, s_refresh_token); /* store the session */ oidc_session_save(r, session); end: /* pass optional error message to the return URL */ if (error_code != NULL) return_to = apr_psprintf(r->pool, "%s%serror_code=%s", return_to, strchr(return_to, '?') ? "&" : "?", oidc_util_escape_string(r, error_code)); /* add the redirect location header */ apr_table_add(r->headers_out, "Location", return_to); return HTTP_MOVED_TEMPORARILY; } /* * handle all requests to the redirect_uri */ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c, session_rec *session) { if (oidc_proto_is_redirect_authorization_response(r, c)) { /* this is an authorization response from the OP using the Basic Client profile or a Hybrid flow*/ return oidc_handle_redirect_authorization_response(r, c, session); } else if (oidc_proto_is_post_authorization_response(r, c)) { /* this is an authorization response using the fragment(+POST) response_mode with the Implicit Client profile */ return oidc_handle_post_authorization_response(r, c, session); } else if (oidc_is_discovery_response(r, c)) { /* this is response from the OP discovery page */ return oidc_handle_discovery_response(r, c); } else if (oidc_util_request_has_parameter(r, "logout")) { /* handle logout */ return oidc_handle_logout(r, c, session); } else if (oidc_util_request_has_parameter(r, "jwks")) { /* handle JWKs request */ return oidc_handle_jwks(r, c); } else if (oidc_util_request_has_parameter(r, "session")) { /* handle session management request */ return oidc_handle_session_management(r, c, session); } else if (oidc_util_request_has_parameter(r, "refresh")) { /* handle refresh token request */ return oidc_handle_refresh_token_request(r, c, session); } else if ((r->args == NULL) || (apr_strnatcmp(r->args, "") == 0)) { /* this is a "bare" request to the redirect URI, indicating implicit flow using the fragment response_mode */ return oidc_proto_javascript_implicit(r, c); } /* this is not an authorization response or logout request */ /* check for "error" response */ if (oidc_util_request_has_parameter(r, "error")) { // char *error = NULL, *descr = NULL; // oidc_util_get_request_parameter(r, "error", &error); // oidc_util_get_request_parameter(r, "error_description", &descr); // // /* send user facing error to browser */ // return oidc_util_html_send_error(r, error, descr, DONE); oidc_handle_redirect_authorization_response(r, c, session); } /* something went wrong */ return oidc_util_html_send_error(r, "mod_auth_openidc", apr_psprintf(r->pool, "The OpenID Connect callback URL received an invalid request: %s", r->args), HTTP_INTERNAL_SERVER_ERROR); } /* * main routine: handle OpenID Connect authentication */ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) { /* check if this is a sub-request or an initial request */ if (ap_is_initial_req(r)) { /* load the session from the request state; this will be a new "empty" session if no state exists */ session_rec *session = NULL; oidc_session_load(r, &session); /* see if the initial request is to the redirect URI; this handles potential logout too */ if (oidc_util_request_matches_url(r, c->redirect_uri)) { /* handle request to the redirect_uri */ return oidc_handle_redirect_uri_request(r, c, session); /* initial request to non-redirect URI, check if we have an existing session */ } else if (session->remote_user != NULL) { /* set the user in the main request for further (incl. sub-request) processing */ r->user = (char *) session->remote_user; /* this is initial request and we already have a session */ return oidc_handle_existing_session(r, c, session); } /* * else: initial request, we have no session and it is not an authorization or * discovery response: just hit the default flow for unauthenticated users */ } else { /* not an initial request, try to recycle what we've already established in the main request */ if (r->main != NULL) r->user = r->main->user; else if (r->prev != NULL) r->user = r->prev->user; if (r->user != NULL) { /* this is a sub-request and we have a session (headers will have been scrubbed and set already) */ oidc_debug(r, "recycling user '%s' from initial request for sub-request", r->user); return OK; } /* * else: not initial request, but we could not find a session, so: * just hit the default flow for unauthenticated users */ } oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, &auth_openidc_module); /* find out which action we need to take when encountering an unauthenticated request */ switch (dir_cfg->unauth_action) { case RETURN401: return HTTP_UNAUTHORIZED; case PASS: return OK; case AUTHENTICATE: break; } /* else: no session (regardless of whether it is main or sub-request), go and authenticate the user */ return oidc_authenticate_user(r, c, NULL, oidc_get_current_url(r, c), NULL, NULL, NULL, NULL); } /* * generic Apache authentication hook for this module: dispatches to OpenID Connect or OAuth 2.0 specific routines */ int oidc_check_user_id(request_rec *r) { oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); /* log some stuff about the incoming HTTP request */ oidc_debug(r, "incoming request: \"%s?%s\", ap_is_initial_req(r)=%d", r->parsed_uri.path, r->args, ap_is_initial_req(r)); /* see if any authentication has been defined at all */ if (ap_auth_type(r) == NULL) return DECLINED; /* see if we've configured OpenID Connect user authentication for this request */ if (apr_strnatcasecmp((const char *) ap_auth_type(r), "openid-connect") == 0) return oidc_check_userid_openidc(r, c); /* see if we've configured OAuth 2.0 access control for this request */ if (apr_strnatcasecmp((const char *) ap_auth_type(r), "oauth20") == 0) return oidc_oauth_check_userid(r, c); /* this is not for us but for some other handler */ return DECLINED; } /* * get the claims and id_token from request state */ static void oidc_authz_get_claims_and_idtoken(request_rec *r, json_t **claims, json_t **id_token) { const char *s_claims = oidc_request_state_get(r, OIDC_CLAIMS_SESSION_KEY); const char *s_id_token = oidc_request_state_get(r, OIDC_IDTOKEN_CLAIMS_SESSION_KEY); json_error_t json_error; if (s_claims != NULL) { *claims = json_loads(s_claims, 0, &json_error); if (*claims == NULL) { oidc_error(r, "could not restore claims from request state: %s", json_error.text); } } if (s_id_token != NULL) { *id_token = json_loads(s_id_token, 0, &json_error); if (*id_token == NULL) { oidc_error(r, "could not restore id_token from request state: %s", json_error.text); } } } #if MODULE_MAGIC_NUMBER_MAJOR >= 20100714 /* * generic Apache >=2.4 authorization hook for this module * handles both OpenID Connect or OAuth 2.0 in the same way, based on the claims stored in the session */ authz_status oidc_authz_checker(request_rec *r, const char *require_args, const void *parsed_require_args) { /* get the set of claims from the request state (they've been set in the authentication part earlier */ json_t *claims = NULL, *id_token = NULL; oidc_authz_get_claims_and_idtoken(r, &claims, &id_token); /* dispatch to the >=2.4 specific authz routine */ authz_status rc = oidc_authz_worker24(r, claims ? claims : id_token, require_args); /* cleanup */ if (claims) json_decref(claims); if (id_token) json_decref(id_token); return rc; } #else /* * generic Apache <2.4 authorization hook for this module * handles both OpenID Connect and OAuth 2.0 in the same way, based on the claims stored in the request context */ int oidc_auth_checker(request_rec *r) { /* get the set of claims from the request state (they've been set in the authentication part earlier */ json_t *claims = NULL, *id_token = NULL; oidc_authz_get_claims_and_idtoken(r, &claims, &id_token); /* get the Require statements */ const apr_array_header_t * const reqs_arr = ap_requires(r); /* see if we have any */ const require_line * const reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; if (!reqs_arr) { oidc_debug(r, "no require statements found, so declining to perform authorization."); return DECLINED; } /* merge id_token claims (e.g. "iss") in to claims json object */ if (claims) oidc_util_json_merge(id_token, claims); /* dispatch to the <2.4 specific authz routine */ int rc = oidc_authz_worker(r, claims ? claims : id_token, reqs, reqs_arr->nelts); /* cleanup */ if (claims) json_decref(claims); if (id_token) json_decref(id_token); return rc; } #endif extern const command_rec oidc_config_cmds[]; module AP_MODULE_DECLARE_DATA auth_openidc_module = { STANDARD20_MODULE_STUFF, oidc_create_dir_config, oidc_merge_dir_config, oidc_create_server_config, oidc_merge_server_config, oidc_config_cmds, oidc_register_hooks }; �������������������������������������������������������������������������������������mod_auth_openidc-1.8.5/src/cache/file.c�������������������������������������������������������������0000644�0001750�0001750�00000034154�12532644156�020152� 0����������������������������������������������������������������������������������������������������ustar �zandbelt������������������������zandbelt���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ /*************************************************************************** * Copyright (C) 2013-2015 Ping Identity Corporation * All rights reserved. * * For further information please contact: * * Ping Identity Corporation * 1099 18th St Suite 2950 * Denver, CO 80202 * 303.468.2900 * http://www.pingidentity.com * * DISCLAIMER OF WARRANTIES: * * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * caching using a file storage backend * * @Author: Hans Zandbelt - hzandbelt@pingidentity.com */ #includePreserving...
", DONE); } /* * send an OpenID Connect authorization request to the specified provider */ int oidc_proto_authorization_request(request_rec *r, struct oidc_provider_t *provider, const char *login_hint, const char *redirect_uri, const char *state, json_t *proto_state, const char *id_token_hint, const char *auth_request_params) { /* log some stuff */ char *s_value = json_dumps(proto_state, JSON_ENCODE_ANY); oidc_debug(r, "enter, issuer=%s, redirect_uri=%s, state=%s, proto_state=%s", provider->issuer, redirect_uri, state, s_value); free(s_value); /* assemble the full URL as the authorization request to the OP where we want to redirect to */ char *authorization_request = apr_psprintf(r->pool, "%s%s", provider->authorization_endpoint_url, strchr(provider->authorization_endpoint_url, '?') != NULL ? "&" : "?"); authorization_request = apr_psprintf(r->pool, "%sresponse_type=%s", authorization_request, oidc_util_escape_string(r, json_string_value( json_object_get(proto_state, "response_type")))); authorization_request = apr_psprintf(r->pool, "%s&scope=%s", authorization_request, oidc_util_escape_string(r, provider->scope)); authorization_request = apr_psprintf(r->pool, "%s&client_id=%s", authorization_request, oidc_util_escape_string(r, provider->client_id)); authorization_request = apr_psprintf(r->pool, "%s&state=%s", authorization_request, oidc_util_escape_string(r, state)); authorization_request = apr_psprintf(r->pool, "%s&redirect_uri=%s", authorization_request, oidc_util_escape_string(r, redirect_uri)); /* add the nonce if set */ if (json_object_get(proto_state, "nonce") != NULL) authorization_request = apr_psprintf(r->pool, "%s&nonce=%s", authorization_request, oidc_util_escape_string(r, json_string_value( json_object_get(proto_state, "nonce")))); /* add the response_mode if explicitly set */ if (json_object_get(proto_state, "response_mode") != NULL) authorization_request = apr_psprintf(r->pool, "%s&response_mode=%s", authorization_request, oidc_util_escape_string(r, json_string_value( json_object_get(proto_state, "response_mode")))); /* add the login_hint if provided */ if (login_hint != NULL) authorization_request = apr_psprintf(r->pool, "%s&login_hint=%s", authorization_request, oidc_util_escape_string(r, login_hint)); /* add the id_token_hint if provided */ if (id_token_hint != NULL) authorization_request = apr_psprintf(r->pool, "%s&id_token_hint=%s", authorization_request, oidc_util_escape_string(r, id_token_hint)); /* add the prompt setting if provided (e.g. "none" for no-GUI checks) */ if (json_object_get(proto_state, "prompt") != NULL) authorization_request = apr_psprintf(r->pool, "%s&prompt=%s", authorization_request, oidc_util_escape_string(r, json_string_value( json_object_get(proto_state, "prompt")))); /* add any statically configured custom authorization request parameters */ if (provider->auth_request_params != NULL) { authorization_request = apr_psprintf(r->pool, "%s&%s", authorization_request, provider->auth_request_params); } /* add any dynamically configured custom authorization request parameters */ if (auth_request_params != NULL) { authorization_request = apr_psprintf(r->pool, "%s&%s", authorization_request, auth_request_params); } /* preserve POSTed form parameters if enabled */ if (apr_strnatcmp( json_string_value(json_object_get(proto_state, "original_method")), "form_post") == 0) return oidc_proto_authorization_request_post_preserve(r, authorization_request); /* cleanup */ json_decref(proto_state); /* add the redirect location header */ apr_table_add(r->headers_out, "Location", authorization_request); /* some more logging */ oidc_debug(r, "adding outgoing header: Location: %s", authorization_request); /* and tell Apache to return an HTTP Redirect (302) message */ return HTTP_MOVED_TEMPORARILY; } /* * indicate whether the incoming HTTP POST request is an OpenID Connect Authorization Response */ apr_byte_t oidc_proto_is_post_authorization_response(request_rec *r, oidc_cfg *cfg) { /* prereq: this is a call to the configured redirect_uri; see if it is a POST */ return (r->method_number == M_POST); } /* * indicate whether the incoming HTTP GET request is an OpenID Connect Authorization Response */ apr_byte_t oidc_proto_is_redirect_authorization_response(request_rec *r, oidc_cfg *cfg) { /* prereq: this is a call to the configured redirect_uri; see if it is a GET with state and id_token or code parameters */ return ((r->method_number == M_GET) && oidc_util_request_has_parameter(r, "state") && (oidc_util_request_has_parameter(r, "id_token") || oidc_util_request_has_parameter(r, "code"))); } /* * generate a random value (nonce) to correlate request/response through browser state */ apr_byte_t oidc_proto_generate_nonce(request_rec *r, char **nonce, int len) { unsigned char *nonce_bytes = apr_pcalloc(r->pool, len); if (apr_generate_random_bytes(nonce_bytes, len) != APR_SUCCESS) { oidc_error(r, "apr_generate_random_bytes returned an error"); return FALSE; } if (oidc_base64url_encode(r, nonce, (const char *) nonce_bytes, len, TRUE) <= 0) { oidc_error(r, "oidc_base64url_encode returned an error"); return FALSE; } return TRUE; } /* * if a nonce was passed in the authorization request (and stored in the browser state), * check that it matches the nonce value in the id_token payload */ // non-static for test.c apr_byte_t oidc_proto_validate_nonce(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *nonce, apr_jwt_t *jwt) { apr_jwt_error_t err; /* see if we have this nonce cached already */ const char *replay = NULL; cfg->cache->get(r, OIDC_CACHE_SECTION_NONCE, nonce, &replay); if (replay != NULL) { oidc_error(r, "the nonce value (%s) passed in the browser state was found in the cache already; possible replay attack!?", nonce); return FALSE; } /* get the "nonce" value in the id_token payload */ char *j_nonce = NULL; if (apr_jwt_get_string(r->pool, jwt->payload.value.json, "nonce", TRUE, &j_nonce, &err) == FALSE) { oidc_error(r, "id_token JSON payload did not contain a \"nonce\" string: %s", apr_jwt_e2s(r->pool, err)); return FALSE; } /* see if the nonce in the id_token matches the one that we sent in the authorization request */ if (apr_strnatcmp(nonce, j_nonce) != 0) { oidc_error(r, "the nonce value (%s) in the id_token did not match the one stored in the browser session (%s)", j_nonce, nonce); return FALSE; } /* * nonce cache duration (replay prevention window) is the 2x the configured * slack on the timestamp (+-) for token issuance plus 10 seconds for safety */ apr_time_t nonce_cache_duration = apr_time_from_sec( provider->idtoken_iat_slack * 2 + 10); /* store it in the cache for the calculated duration */ cfg->cache->set(r, OIDC_CACHE_SECTION_NONCE, nonce, nonce, apr_time_now() + nonce_cache_duration); oidc_debug(r, "nonce \"%s\" validated successfully and is now cached for %" APR_TIME_T_FMT " seconds", nonce, apr_time_sec(nonce_cache_duration)); return TRUE; } /* * validate the "aud" and "azp" claims in the id_token payload */ static apr_byte_t oidc_proto_validate_aud_and_azp(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, apr_jwt_payload_t *id_token_payload) { char *azp = NULL; apr_jwt_get_string(r->pool, id_token_payload->value.json, "azp", FALSE, &azp, NULL); /* * the "azp" claim is only needed when the id_token has a single audience value and that audience * is different than the authorized party; it MAY be included even when the authorized party is * the same as the sole audience. */ if ((azp != NULL) && (apr_strnatcmp(azp, provider->client_id) != 0)) { oidc_error(r, "the \"azp\" claim (%s) is present in the id_token, but is not equal to the configured client_id (%s)", azp, provider->client_id); return FALSE; } /* get the "aud" value from the JSON payload */ json_t *aud = json_object_get(id_token_payload->value.json, "aud"); if (aud != NULL) { /* check if it is a single-value */ if (json_is_string(aud)) { /* a single-valued audience must be equal to our client_id */ if (apr_strnatcmp(json_string_value(aud), provider->client_id) != 0) { oidc_error(r, "the configured client_id (%s) did not match the \"aud\" claim value (%s) in the id_token", provider->client_id, json_string_value(aud)); return FALSE; } /* check if this is a multi-valued audience */ } else if (json_is_array(aud)) { if ((json_array_size(aud) > 1) && (azp == NULL)) { oidc_debug(r, "the \"aud\" claim value in the id_token is an array with more than 1 element, but \"azp\" claim is not present (a SHOULD in the spec...)"); } if (oidc_util_json_array_has_value(r, aud, provider->client_id) == FALSE) { oidc_error(r, "our configured client_id (%s) could not be found in the array of values for \"aud\" claim", provider->client_id); return FALSE; } } else { oidc_error(r, "id_token JSON payload \"aud\" claim is not a string nor an array"); return FALSE; } } else { oidc_error(r, "id_token JSON payload did not contain an \"aud\" claim"); return FALSE; } return TRUE; } /* * validate "iat" claim in JWT */ static apr_byte_t oidc_proto_validate_iat(request_rec *r, apr_jwt_t *jwt, apr_byte_t is_mandatory, int slack) { /* get the current time */ apr_time_t now = apr_time_sec(apr_time_now()); /* sanity check for iat being set */ if (jwt->payload.iat == APR_JWT_CLAIM_TIME_EMPTY) { if (is_mandatory) { oidc_error(r, "JWT did not contain an \"iat\" number value"); return FALSE; } return TRUE; } /* check if this id_token has been issued just now +- slack (default 10 minutes) */ if ((now - slack) > jwt->payload.iat) { oidc_error(r, "\"iat\" validation failure (%ld): JWT was issued more than %d seconds ago", (long)jwt->payload.iat, slack); return FALSE; } if ((now + slack) < jwt->payload.iat) { oidc_error(r, "\"iat\" validation failure (%ld): JWT was issued more than %d seconds in the future", (long)jwt->payload.iat, slack); return FALSE; } return TRUE; } /* * validate "exp" claim in JWT */ static apr_byte_t oidc_proto_validate_exp(request_rec *r, apr_jwt_t *jwt, apr_byte_t is_mandatory) { /* get the current time */ apr_time_t now = apr_time_sec(apr_time_now()); /* sanity check for exp being set */ if (jwt->payload.exp == APR_JWT_CLAIM_TIME_EMPTY) { if (is_mandatory) { oidc_error(r, "JWT did not contain an \"exp\" number value"); return FALSE; } return TRUE; } /* see if now is beyond the JWT expiry timestamp */ if (now > jwt->payload.exp) { oidc_error(r, "\"exp\" validation failure (%ld): JWT expired %ld seconds ago", (long)jwt->payload.exp, (long)(now - jwt->payload.exp)); return FALSE; } return TRUE; } /* * validate a JSON Web token */ apr_byte_t oidc_proto_validate_jwt(request_rec *r, apr_jwt_t *jwt, const char *iss, apr_byte_t exp_is_mandatory, apr_byte_t iat_is_mandatory, int iat_slack) { if (iss != NULL) { /* issuer is set and must match */ if (jwt->payload.iss == NULL) { oidc_error(r, "JWT did not contain an \"iss\" string (requested value: %s)", iss); return FALSE; } /* check if the issuer matches the requested value */ if (oidc_util_issuer_match(iss, jwt->payload.iss) == FALSE) { oidc_error(r, "requested issuer (%s) does not match received \"iss\" value in id_token (%s)", iss, jwt->payload.iss); return FALSE; } } /* check exp */ if (oidc_proto_validate_exp(r, jwt, exp_is_mandatory) == FALSE) return FALSE; /* check iat */ if (oidc_proto_validate_iat(r, jwt, iat_is_mandatory, iat_slack) == FALSE) return FALSE; return TRUE; } /* * check whether the provided JWT is a valid id_token for the specified "provider" */ static apr_byte_t oidc_proto_validate_idtoken(request_rec *r, oidc_provider_t *provider, apr_jwt_t *jwt, const char *nonce) { oidc_cfg *cfg = ap_get_module_config(r->server->module_config, &auth_openidc_module); oidc_debug(r, "enter, jwt.header=\"%s\", jwt.payload=\%s\", nonce=%s", jwt->header.value.str, jwt->payload.value.str, nonce); /* if a nonce is not passed, we're doing a ("code") flow where the nonce is optional */ if (nonce != NULL) { /* if present, verify the nonce */ if (oidc_proto_validate_nonce(r, cfg, provider, nonce, jwt) == FALSE) return FALSE; } /* validate the ID Token JWT, requiring iss match, and valid exp + iat */ if (oidc_proto_validate_jwt(r, jwt, provider->issuer, TRUE, TRUE, provider->idtoken_iat_slack) == FALSE) return FALSE; /* check if the required-by-spec "sub" claim is present */ if (jwt->payload.sub == NULL) { oidc_error(r, "id_token JSON payload did not contain the required-by-spec \"sub\" string value"); return FALSE; } /* verify the "aud" and "azp" values */ if (oidc_proto_validate_aud_and_azp(r, cfg, provider, &jwt->payload) == FALSE) return FALSE; return TRUE; } /* * get the key from the JWKs that corresponds with the key specified in the header */ static apr_byte_t oidc_proto_get_key_from_jwks(request_rec *r, apr_jwt_t *jwt, json_t *j_jwks, apr_hash_t *result) { apr_byte_t rc = TRUE; apr_jwt_error_t err; char *x5t = NULL; apr_jwk_t *jwk = NULL; const char *key_type = apr_jwt_signature_to_jwk_type(r->pool, jwt); if (key_type == NULL) { oidc_error(r, "unsupported signing algorithm in JWT header: %s", jwt->header.alg); return FALSE; } apr_jwt_get_string(r->pool, jwt->header.value.json, "x5t", FALSE, &x5t, NULL); oidc_debug(r, "search for kid \"%s\" or thumbprint x5t \"%s\"", jwt->header.kid, x5t); /* get the "keys" JSON array from the JWKs object */ json_t *keys = json_object_get(j_jwks, "keys"); if ((keys == NULL) || !(json_is_array(keys))) { oidc_error(r, "\"keys\" array element is not a JSON array"); return FALSE; } int i; for (i = 0; i < json_array_size(keys); i++) { /* get the next element in the array */ json_t *elem = json_array_get(keys, i); /* check that it is a JSON object */ if (!json_is_object(elem)) { oidc_warn(r, "\"keys\" array element is not a JSON object, skipping"); continue; } /* get the key type and see if it is the type that we are looking for */ json_t *kty = json_object_get(elem, "kty"); if ((!json_is_string(kty)) || (strcmp(json_string_value(kty), key_type) != 0)) continue; /* see if we were looking for a specific kid, if not we'll include any key that matches the type */ if ((jwt->header.kid == NULL) && (x5t == NULL)) { oidc_debug(r, "no kid/x5t to match, include matching key type"); rc = apr_jwk_parse_json(r->pool, elem, &jwk, &err); if (rc == FALSE) oidc_error(r, "JWK parsing failed: %s", apr_jwt_e2s(r->pool, err)); else if (jwk->kid) apr_hash_set(result, jwk->kid, APR_HASH_KEY_STRING, jwk); else apr_hash_set(result, apr_psprintf(r->pool, "%d", i), APR_HASH_KEY_STRING, jwk); continue; } /* we are looking for a specific kid, get the kid from the current element */ json_t *ekid = json_object_get(elem, "kid"); if ((ekid != NULL) && json_is_string(ekid) && (jwt->header.kid != NULL)) { /* compare the requested kid against the current element */ if (apr_strnatcmp(jwt->header.kid, json_string_value(ekid)) == 0) { oidc_debug(r, "found matching kid: \"%s\"", jwt->header.kid); rc = apr_jwk_parse_json(r->pool, elem, &jwk, &err); if (rc == FALSE) oidc_error(r, "JWK parsing failed: %s", apr_jwt_e2s(r->pool, err)); else apr_hash_set(result, jwk->kid, APR_HASH_KEY_STRING, jwk); break; } } /* we are looking for a specific x5t, get the x5t from the current element */ json_t *ex5t = json_object_get(elem, "x5t"); if ((ex5t != NULL) && json_is_string(ex5t) && (x5t != NULL)) { /* compare the requested kid against the current element */ if (apr_strnatcmp(x5t, json_string_value(ex5t)) == 0) { oidc_debug(r, "found matching x5t: \"%s\"", x5t); rc = apr_jwk_parse_json(r->pool, elem, &jwk, &err); if (rc == FALSE) oidc_error(r, "JWK parsing failed: %s", apr_jwt_e2s(r->pool, err)); else apr_hash_set(result, x5t, APR_HASH_KEY_STRING, jwk); break; } } } return rc; } /* * get the keys from the (possibly cached) set of JWKs on the jwk_uri that corresponds with the key specified in the header */ apr_byte_t oidc_proto_get_keys_from_jwks_uri(request_rec *r, oidc_cfg *cfg, apr_jwt_t *jwt, const oidc_jwks_uri_t *jwks_uri, apr_hash_t *keys, apr_byte_t *force_refresh) { json_t *j_jwks = NULL; /* get the set of JSON Web Keys for this provider (possibly by downloading them from the specified provider->jwk_uri) */ oidc_metadata_jwks_get(r, cfg, jwks_uri, &j_jwks, force_refresh); if (j_jwks == NULL) { oidc_error(r, "could not %s JSON Web Keys", *force_refresh ? "refresh" : "get"); return FALSE; } /* * get the key corresponding to the kid from the header, referencing the key that * was used to sign this message (or get all keys in case no kid was set) * * we don't check the error return value because we'll treat "error" in the same * way as "key not found" i.e. by refreshing the keys from the JWKs URI if not * already done */ oidc_proto_get_key_from_jwks(r, jwt, j_jwks, keys); /* no need anymore for the parsed json_t contents, release the it */ json_decref(j_jwks); /* if we've got no keys and we did not do a fresh download, then the cache may be stale */ if ((apr_hash_count(keys) < 1) && (*force_refresh == FALSE)) { /* we did not get a key, but we have not refreshed the JWKs from the jwks_uri yet */ oidc_warn(r, "could not find a key in the cached JSON Web Keys, doing a forced refresh in case keys were rolled over"); /* get the set of JSON Web Keys forcing a fresh download from the specified JWKs URI */ *force_refresh = TRUE; return oidc_proto_get_keys_from_jwks_uri(r, cfg, jwt, jwks_uri, keys, force_refresh); } oidc_debug(r, "returning %d key(s) obtained from the (possibly cached) JWKs URI", apr_hash_count(keys)); return TRUE; } /* * verify the signature on a JWT using the dynamically obtained and statically configured keys */ apr_byte_t oidc_proto_jwt_verify(request_rec *r, oidc_cfg *cfg, apr_jwt_t *jwt, const oidc_jwks_uri_t *jwks_uri, apr_hash_t *static_keys) { apr_jwt_error_t err; apr_hash_t *dynamic_keys = apr_hash_make(r->pool); /* see if we've got a JWKs URI set for signature validation with dynamically obtained asymmetric keys */ if (jwks_uri->url == NULL) { oidc_debug(r, "\"jwks_uri\" is not set, signature validation will only be performed against statically configured keys"); /* the JWKs URI was provided, but let's see if it makes sense to pull down keys, i.e. if it is an asymmetric signature */ } else if (apr_jws_signature_is_hmac(r->pool, jwt)) { oidc_debug(r, "\"jwks_uri\" is set, but the JWT has a symmetric signature so we won't pull/use keys from there"); } else { apr_byte_t force_refresh = FALSE; /* get the key from the JWKs that corresponds with the key specified in the header */ if (oidc_proto_get_keys_from_jwks_uri(r, cfg, jwt, jwks_uri, dynamic_keys, &force_refresh) == FALSE) return FALSE; } /* do the actual JWS verification with the locally and remotely provided key material */ // TODO: now static keys "win" if the same `kid` was used in both local and remote key sets if (apr_jws_verify(r->pool, jwt, oidc_util_merge_key_sets(r->pool, static_keys, dynamic_keys), &err) == FALSE) { oidc_error(r, "JWT signature verification failed: %s", apr_jwt_e2s(r->pool, err)); return FALSE; } oidc_debug(r, "JWT signature verification with algorithm \"%s\" was successful", jwt->header.alg); return TRUE; } /* * check whether the provided string is a valid id_token and return its parsed contents */ apr_byte_t oidc_proto_parse_idtoken(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *id_token, const char *nonce, apr_jwt_t **jwt, apr_byte_t is_code_flow) { char buf[APR_RFC822_DATE_LEN + 1]; apr_jwt_error_t err; oidc_debug(r, "enter"); if (apr_jwt_parse(r->pool, id_token, jwt, oidc_util_merge_symmetric_key(r->pool, cfg->private_keys, provider->client_secret, "sha256"), &err) == FALSE) { oidc_error(r, "apr_jwt_parse failed for JWT with header \"%s\": %s", apr_jwt_header_to_string(r->pool, id_token, NULL), apr_jwt_e2s(r->pool, err)); apr_jwt_destroy(*jwt); *jwt = NULL; return FALSE; } oidc_debug(r, "successfully parsed (and possibly decrypted) JWT with header: \"%s\"", apr_jwt_header_to_string(r->pool, id_token, NULL)); // make signature validation exception for 'code' flow and the algorithm NONE if (is_code_flow == FALSE || strcmp((*jwt)->header.alg, "none") != 0) { oidc_jwks_uri_t jwks_uri = { provider->jwks_uri, provider->jwks_refresh_interval, provider->ssl_validate_server }; if (oidc_proto_jwt_verify(r, cfg, *jwt, &jwks_uri, oidc_util_merge_symmetric_key(r->pool, NULL, provider->client_secret, NULL)) == FALSE) { oidc_error(r, "id_token signature could not be validated, aborting"); apr_jwt_destroy(*jwt); *jwt = NULL; return FALSE; } } /* this is where the meat is */ if (oidc_proto_validate_idtoken(r, provider, *jwt, nonce) == FALSE) { oidc_error(r, "id_token payload could not be validated, aborting"); apr_jwt_destroy(*jwt); *jwt = NULL; return FALSE; } /* log our results */ apr_rfc822_date(buf, apr_time_from_sec((*jwt)->payload.exp)); oidc_debug(r, "valid id_token for user \"%s\" expires: [%s], in %ld secs from now)", (*jwt)->payload.sub, buf, (long)((*jwt)->payload.exp - apr_time_sec(apr_time_now()))); /* since we've made it so far, we may as well say it is a valid id_token */ return TRUE; } /* * check that the access_token type is supported */ static apr_byte_t oidc_proto_validate_token_type(request_rec *r, oidc_provider_t *provider, const char *token_type) { /* we only support bearer/Bearer */ if ((token_type != NULL) && (apr_strnatcasecmp(token_type, "Bearer") != 0) && (provider->userinfo_endpoint_url != NULL)) { oidc_error(r, "token_type is \"%s\" and UserInfo endpoint (%s) for issuer \"%s\" is set: can only deal with Bearer authentication against a UserInfo endpoint!", token_type, provider->userinfo_endpoint_url, provider->issuer); return FALSE; } return TRUE; } /* * send a code/refresh request to the token endpoint and return the parsed contents */ static apr_byte_t oidc_proto_token_endpoint_request(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, apr_table_t *params, char **id_token, char **access_token, char **token_type, int *expires_in, char **refresh_token) { /* get a handle to the directory config */ oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, &auth_openidc_module); const char *response = NULL; /* see if we need to do basic auth or auth-through-post-params (both applied through the HTTP POST method though) */ const char *basic_auth = NULL; if ((provider->token_endpoint_auth == NULL) || (apr_strnatcmp(provider->token_endpoint_auth, "client_secret_basic") == 0)) { basic_auth = apr_psprintf(r->pool, "%s:%s", provider->client_id, provider->client_secret); } else { apr_table_addn(params, "client_id", provider->client_id); apr_table_addn(params, "client_secret", provider->client_secret); } /* add any configured extra static parameters to the token endpoint */ oidc_util_table_add_query_encoded_params(r->pool, params, provider->token_endpoint_params); /* send the refresh request to the token endpoint */ if (oidc_util_http_post_form(r, provider->token_endpoint_url, params, basic_auth, NULL, provider->ssl_validate_server, &response, cfg->http_timeout_long, cfg->outgoing_proxy, dir_cfg->pass_cookies) == FALSE) { oidc_warn(r, "error when calling the token endpoint (%s)", provider->token_endpoint_url); return FALSE; } /* check for errors, the response itself will have been logged already */ json_t *result = NULL; if (oidc_util_decode_json_and_check_error(r, response, &result) == FALSE) return FALSE; /* get the id_token from the parsed response */ oidc_json_object_get_string(r->pool, result, "id_token", id_token, NULL); /* get the access_token from the parsed response */ oidc_json_object_get_string(r->pool, result, "access_token", access_token, NULL); /* get the token type from the parsed response */ oidc_json_object_get_string(r->pool, result, "token_type", token_type, NULL); /* check the new token type */ if (token_type != NULL) { if (oidc_proto_validate_token_type(r, provider, *token_type) == FALSE) { oidc_warn(r, "access token type did not validate, dropping it"); *access_token = NULL; } } /* get the expires_in value */ oidc_json_object_get_int(r->pool, result, "expires_in", expires_in, -1); /* get the refresh_token from the parsed response */ oidc_json_object_get_string(r->pool, result, "refresh_token", refresh_token, NULL); json_decref(result); return TRUE; } /* * resolves the code received from the OP in to an id_token, access_token and refresh_token */ apr_byte_t oidc_proto_resolve_code(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *code, char **id_token, char **access_token, char **token_type, int *expires_in, char **refresh_token) { oidc_debug(r, "enter"); /* assemble the parameters for a call to the token endpoint */ apr_table_t *params = apr_table_make(r->pool, 5); apr_table_addn(params, "grant_type", "authorization_code"); apr_table_addn(params, "code", code); apr_table_addn(params, "redirect_uri", cfg->redirect_uri); return oidc_proto_token_endpoint_request(r, cfg, provider, params, id_token, access_token, token_type, expires_in, refresh_token); } /* * refreshes the access_token/id_token /refresh_token received from the OP using the refresh_token */ apr_byte_t oidc_proto_refresh_request(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *rtoken, char **id_token, char **access_token, char **token_type, int *expires_in, char **refresh_token) { oidc_debug(r, "enter"); /* assemble the parameters for a call to the token endpoint */ apr_table_t *params = apr_table_make(r->pool, 5); apr_table_addn(params, "grant_type", "refresh_token"); apr_table_addn(params, "refresh_token", rtoken); apr_table_addn(params, "scope", provider->scope); return oidc_proto_token_endpoint_request(r, cfg, provider, params, id_token, access_token, token_type, expires_in, refresh_token); } /* * get claims from the OP UserInfo endpoint using the provided access_token */ apr_byte_t oidc_proto_resolve_userinfo(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *access_token, const char **response) { /* get a handle to the directory config */ oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, &auth_openidc_module); oidc_debug(r, "enter, endpoint=%s, access_token=%s", provider->userinfo_endpoint_url, access_token); /* get the JSON response */ if (oidc_util_http_get(r, provider->userinfo_endpoint_url, NULL, NULL, access_token, provider->ssl_validate_server, response, cfg->http_timeout_long, cfg->outgoing_proxy, dir_cfg->pass_cookies) == FALSE) return FALSE; /* decode and check for an "error" response */ json_t *claims = NULL; if (oidc_util_decode_json_and_check_error(r, *response, &claims) == FALSE) return FALSE; json_decref(claims); return TRUE; } /* * based on an account name, perform OpenID Connect Provider Issuer Discovery to find out the issuer and obtain and store its metadata */ apr_byte_t oidc_proto_account_based_discovery(request_rec *r, oidc_cfg *cfg, const char *acct, char **issuer) { /* get a handle to the directory config */ oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, &auth_openidc_module); // TODO: maybe show intermediate/progress screen "discovering..." oidc_debug(r, "enter, acct=%s", acct); const char *resource = apr_psprintf(r->pool, "acct:%s", acct); const char *domain = strrchr(acct, '@'); if (domain == NULL) { oidc_error(r, "invalid account name"); return FALSE; } domain++; const char *url = apr_psprintf(r->pool, "https://%s/.well-known/webfinger", domain); apr_table_t *params = apr_table_make(r->pool, 1); apr_table_addn(params, "resource", resource); apr_table_addn(params, "rel", "http://openid.net/specs/connect/1.0/issuer"); const char *response = NULL; if (oidc_util_http_get(r, url, params, NULL, NULL, cfg->provider.ssl_validate_server, &response, cfg->http_timeout_short, cfg->outgoing_proxy, dir_cfg->pass_cookies) == FALSE) { /* errors will have been logged by now */ return FALSE; } /* decode and see if it is not an error response somehow */ json_t *j_response = NULL; if (oidc_util_decode_json_and_check_error(r, response, &j_response) == FALSE) return FALSE; /* get the links parameter */ json_t *j_links = json_object_get(j_response, "links"); if ((j_links == NULL) || (!json_is_array(j_links))) { oidc_error(r, "response JSON object did not contain a \"links\" array"); json_decref(j_response); return FALSE; } /* get the one-and-only object in the "links" array */ json_t *j_object = json_array_get(j_links, 0); if ((j_object == NULL) || (!json_is_object(j_object))) { oidc_error(r, "response JSON object did not contain a JSON object as the first element in the \"links\" array"); json_decref(j_response); return FALSE; } /* get the href from that object, which is the issuer value */ json_t *j_href = json_object_get(j_object, "href"); if ((j_href == NULL) || (!json_is_string(j_href))) { oidc_error(r, "response JSON object did not contain a \"href\" element in the first \"links\" array object"); json_decref(j_response); return FALSE; } *issuer = apr_pstrdup(r->pool, json_string_value(j_href)); oidc_debug(r, "returning issuer \"%s\" for account \"%s\" after doing successful webfinger-based discovery", *issuer, acct); json_decref(j_response); return TRUE; } int oidc_proto_javascript_implicit(request_rec *r, oidc_cfg *c) { oidc_debug(r, "enter"); const char *java_script = " \n"; const char *html_body = "Submitting...
\n" " \n"; return oidc_util_html_send(r, "Submitting...", java_script, "postOnLoad", html_body, DONE); } /* * check a provided hash value (at_hash|c_hash) against a corresponding hash calculated for a specified value and algorithm */ static apr_byte_t oidc_proto_validate_hash(request_rec *r, const char *alg, const char *hash, const char *value, const char *type) { char *calc = NULL; unsigned int calc_len = 0; unsigned int hash_len = apr_jws_hash_length(alg) / 2; apr_jwt_error_t err; /* hash the provided access_token */ if (apr_jws_hash_string(r->pool, alg, value, &calc, &calc_len, &err) == FALSE) { oidc_error(r, "apr_jws_hash_string failed: %s", apr_jwt_e2s(r->pool, err)); return FALSE; } /* calculate the base64url-encoded value of the hash */ char *decoded = NULL; unsigned int decoded_len = oidc_base64url_decode(r, &decoded, hash); if (decoded_len <= 0) { oidc_error(r, "oidc_base64url_decode returned an error"); return FALSE; } oidc_debug(r, "hash_len=%d, decoded_len=%d, calc_len=%d", hash_len, decoded_len, calc_len); /* compare the calculated hash against the provided hash */ if ((decoded_len < hash_len) || (calc_len < hash_len) || (memcmp(decoded, calc, hash_len) != 0)) { oidc_error(r, "provided \"%s\" hash value (%s) does not match the calculated value", type, hash); return FALSE; } oidc_debug(r, "successfully validated the provided \"%s\" hash value (%s) against the calculated value", type, hash); return TRUE; } /* * check a hash value in the id_token against the corresponding hash calculated over a provided value */ static apr_byte_t oidc_proto_validate_hash_value(request_rec *r, oidc_provider_t *provider, apr_jwt_t *jwt, const char *response_type, const char *value, const char *key, apr_array_header_t *required_for_flows) { /* * get the hash value from the id_token */ char *hash = NULL; apr_jwt_get_string(r->pool, jwt->payload.value.json, key, FALSE, &hash, NULL); /* * check if the hash was present */ if (hash == NULL) { /* no hash..., now see if the flow required it */ int i; for (i = 0; i < required_for_flows->nelts; i++) { if (oidc_util_spaced_string_equals(r->pool, response_type, ((const char**) required_for_flows->elts)[i])) { oidc_warn(r, "flow is \"%s\", but no %s found in id_token", response_type, key); return FALSE; } } /* no hash but it was not required anyway */ return TRUE; } /* * we have a hash, validate it and return the result */ return oidc_proto_validate_hash(r, jwt->header.alg, hash, value, key); } /* * check the c_hash value in the id_token against the code */ apr_byte_t oidc_proto_validate_code(request_rec *r, oidc_provider_t *provider, apr_jwt_t *jwt, const char *response_type, const char *code) { apr_array_header_t *required_for_flows = apr_array_make(r->pool, 2, sizeof(const char*)); *(const char**) apr_array_push(required_for_flows) = "code id_token"; *(const char**) apr_array_push(required_for_flows) = "code id_token token"; if (oidc_proto_validate_hash_value(r, provider, jwt, response_type, code, "c_hash", required_for_flows) == FALSE) { oidc_error(r, "could not validate code against c_hash"); return FALSE; } return TRUE; } /* * check the at_hash value in the id_token against the access_token */ apr_byte_t oidc_proto_validate_access_token(request_rec *r, oidc_provider_t *provider, apr_jwt_t *jwt, const char *response_type, const char *access_token) { apr_array_header_t *required_for_flows = apr_array_make(r->pool, 2, sizeof(const char*)); *(const char**) apr_array_push(required_for_flows) = "id_token token"; *(const char**) apr_array_push(required_for_flows) = "code id_token token"; if (oidc_proto_validate_hash_value(r, provider, jwt, response_type, access_token, "at_hash", required_for_flows) == FALSE) { oidc_error(r, "could not validate access token against at_hash"); return FALSE; } return TRUE; } /* * return the supported flows */ apr_array_header_t *oidc_proto_supported_flows(apr_pool_t *pool) { apr_array_header_t *result = apr_array_make(pool, 6, sizeof(const char*)); *(const char**) apr_array_push(result) = "code"; *(const char**) apr_array_push(result) = "id_token"; *(const char**) apr_array_push(result) = "id_token token"; *(const char**) apr_array_push(result) = "code id_token"; *(const char**) apr_array_push(result) = "code token"; *(const char**) apr_array_push(result) = "code id_token token"; return result; } /* * check if a particular OpenID Connect flow is supported */ apr_byte_t oidc_proto_flow_is_supported(apr_pool_t *pool, const char *flow) { apr_array_header_t *flows = oidc_proto_supported_flows(pool); int i; for (i = 0; i < flows->nelts; i++) { if (oidc_util_spaced_string_equals(pool, flow, ((const char**) flows->elts)[i])) return TRUE; } return FALSE; } /* * check the required parameters for the various flows after resolving the authorization code */ static apr_byte_t oidc_proto_validate_code_response(request_rec *r, const char *response_type, char *id_token, char *access_token, char *token_type) { oidc_debug(r, "enter"); /* * check id_token parameter */ if (!oidc_util_spaced_string_contains(r->pool, response_type, "id_token")) { if (id_token == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"id_token\" parameter found in the code response", response_type); return FALSE; } } else { if (id_token != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is an \"id_token\" parameter in the code response that will be dropped", response_type); } } /* * check access_token parameter */ if (!oidc_util_spaced_string_contains(r->pool, response_type, "token")) { if (access_token == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"access_token\" parameter found in the code response", response_type); return FALSE; } if (token_type == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"token_type\" parameter found in the code response", response_type); return FALSE; } } else { if (access_token != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is an \"access_token\" parameter in the code response that will be dropped", response_type); } if (token_type != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is a \"token_type\" parameter in the code response that will be dropped", response_type); } } return TRUE; } /* * validate the response parameters provided by the OP against the requested response type */ static apr_byte_t oidc_proto_validate_response_type(request_rec *r, const char *requested_response_type, const char *code, const char *id_token, const char *access_token) { if (oidc_util_spaced_string_contains(r->pool, requested_response_type, "code")) { if (code == NULL) { oidc_error(r, "the requested response type was (%s) but the response does not contain a \"code\" parameter", requested_response_type); return FALSE; } } else if (code != NULL) { oidc_error(r, "the requested response type was (%s) but the response contains a \"code\" parameter", requested_response_type); return FALSE; } if (oidc_util_spaced_string_contains(r->pool, requested_response_type, "id_token")) { if (id_token == NULL) { oidc_error(r, "the requested response type was (%s) but the response does not contain an \"id_token\" parameter", requested_response_type); return FALSE; } } else if (id_token != NULL) { oidc_error(r, "the requested response type was (%s) but the response contains an \"id_token\" parameter", requested_response_type); return FALSE; } if (oidc_util_spaced_string_contains(r->pool, requested_response_type, "token")) { if (access_token == NULL) { oidc_error(r, "the requested response type was (%s) but the response does not contain an \"access_token\" parameter", requested_response_type); return FALSE; } } else if (access_token != NULL) { oidc_error(r, "the requested response type was (%s) but the response contains an \"access_token\" parameter", requested_response_type); return FALSE; } return TRUE; } /* * validate the response mode used by the OP against the requested response mode */ static apr_byte_t oidc_proto_validate_response_mode(request_rec *r, json_t *proto_state, const char *response_mode, const char *default_response_mode) { const char *requested_response_mode = json_object_get(proto_state, "response_mode") ? json_string_value( json_object_get(proto_state, "response_mode")) : default_response_mode; if (apr_strnatcmp(requested_response_mode, response_mode) != 0) { oidc_error(r, "requested response mode (%s) does not match the response mode used by the OP (%s)", requested_response_mode, response_mode); return FALSE; } return TRUE; } /* * helper function to validate both the response type and the response mode in a single function call */ static apr_byte_t oidc_proto_validate_response_type_and_response_mode( request_rec *r, const char *requested_response_type, apr_table_t *params, json_t *proto_state, const char *response_mode, const char *default_response_mode) { const char *code = apr_table_get(params, "code"); const char *id_token = apr_table_get(params, "id_token"); const char *access_token = apr_table_get(params, "access_token"); if (oidc_proto_validate_response_type(r, requested_response_type, code, id_token, access_token) == FALSE) return FALSE; if (oidc_proto_validate_response_mode(r, proto_state, response_mode, default_response_mode) == FALSE) return FALSE; return TRUE; } /* * parse and id_token and check the c_hash if the code is provided */ static apr_byte_t oidc_proto_parse_idtoken_and_validate_code(request_rec *r, oidc_cfg *c, json_t *proto_state, oidc_provider_t *provider, const char *response_type, apr_table_t *params, apr_jwt_t **jwt, apr_byte_t must_validate_code) { const char *code = apr_table_get(params, "code"); const char *id_token = apr_table_get(params, "id_token"); apr_byte_t is_code_flow = (oidc_util_spaced_string_contains(r->pool, response_type, "code") == TRUE) && (oidc_util_spaced_string_contains(r->pool, response_type, "id_token") == FALSE); json_t *nonce = json_object_get(proto_state, "nonce"); if (oidc_proto_parse_idtoken(r, c, provider, id_token, nonce ? json_string_value(nonce) : NULL, jwt, is_code_flow) == FALSE) return FALSE; if ((must_validate_code == TRUE) && (oidc_proto_validate_code(r, provider, *jwt, response_type, code) == FALSE)) return FALSE; return TRUE; } /* * resolve the code against the token endpoint and validate the response that is returned by the OP */ static apr_byte_t oidc_proto_resolve_code_and_validate_response(request_rec *r, oidc_cfg *c, oidc_provider_t *provider, const char *response_type, apr_table_t *params) { char *id_token = NULL; char *access_token = NULL; char *token_type = NULL; int expires_in = -1; char *refresh_token = NULL; if (oidc_proto_resolve_code(r, c, provider, apr_table_get(params, "code"), &id_token, &access_token, &token_type, &expires_in, &refresh_token) == FALSE) { oidc_error(r, "failed to resolve the code"); return FALSE; } if (oidc_proto_validate_code_response(r, response_type, id_token, access_token, token_type) == FALSE) { oidc_error(r, "code response validation failed"); return FALSE; } /* don't override parameters that may already have been (rightfully) set in the authorization response */ if ((apr_table_get(params, "id_token") == NULL) && (id_token != NULL)) { apr_table_set(params, "id_token", id_token); } if ((apr_table_get(params, "access_token") == NULL) && (access_token != NULL)) { apr_table_set(params, "access_token", access_token); if (token_type != NULL) apr_table_set(params, "token_type", token_type); if (expires_in != -1) apr_table_set(params, "expires_in", apr_psprintf(r->pool, "%d", expires_in)); } /* refresh token should not have been set before */ if (refresh_token != NULL) { apr_table_set(params, "refresh_token", refresh_token); } return TRUE; } /* * handle the "code id_token" response type */ apr_byte_t oidc_proto_authorization_response_code_idtoken(request_rec *r, oidc_cfg *c, json_t *proto_state, oidc_provider_t *provider, apr_table_t *params, const char *response_mode, apr_jwt_t **jwt) { oidc_debug(r, "enter"); static const char *response_type = "code id_token"; if (oidc_proto_validate_response_type_and_response_mode(r, response_type, params, proto_state, response_mode, "fragment") == FALSE) return FALSE; if (oidc_proto_parse_idtoken_and_validate_code(r, c, proto_state, provider, response_type, params, jwt, TRUE) == FALSE) return FALSE; /* clear parameters that should only be set from the token endpoint */ apr_table_unset(params, "access_token"); apr_table_unset(params, "token_type"); apr_table_unset(params, "expires_in"); apr_table_unset(params, "refresh_token"); if (oidc_proto_resolve_code_and_validate_response(r, c, provider, response_type, params) == FALSE) return FALSE; return TRUE; } /* * handle the "code token" response type */ apr_byte_t oidc_proto_handle_authorization_response_code_token(request_rec *r, oidc_cfg *c, json_t *proto_state, oidc_provider_t *provider, apr_table_t *params, const char *response_mode, apr_jwt_t **jwt) { oidc_debug(r, "enter"); static const char *response_type = "code token"; if (oidc_proto_validate_response_type_and_response_mode(r, response_type, params, proto_state, response_mode, "fragment") == FALSE) return FALSE; /* clear parameters that should only be set from the token endpoint */ apr_table_unset(params, "id_token"); apr_table_unset(params, "refresh_token"); if (oidc_proto_resolve_code_and_validate_response(r, c, provider, response_type, params) == FALSE) return FALSE; if (oidc_proto_parse_idtoken_and_validate_code(r, c, proto_state, provider, response_type, params, jwt, FALSE) == FALSE) return FALSE; return TRUE; } /* * handle the "code" response type */ apr_byte_t oidc_proto_handle_authorization_response_code(request_rec *r, oidc_cfg *c, json_t *proto_state, oidc_provider_t *provider, apr_table_t *params, const char *response_mode, apr_jwt_t **jwt) { oidc_debug(r, "enter"); static const char *response_type = "code"; if (oidc_proto_validate_response_type_and_response_mode(r, response_type, params, proto_state, response_mode, "query") == FALSE) return FALSE; /* clear parameters that should only be set from the token endpoint */ apr_table_unset(params, "access_token"); apr_table_unset(params, "token_type"); apr_table_unset(params, "expires_in"); apr_table_unset(params, "id_token"); apr_table_unset(params, "refresh_token"); if (oidc_proto_resolve_code_and_validate_response(r, c, provider, response_type, params) == FALSE) return FALSE; /* * in this flow it is actually optional to check the code token against the c_hash */ if (oidc_proto_parse_idtoken_and_validate_code(r, c, proto_state, provider, response_type, params, jwt, TRUE) == FALSE) return FALSE; /* * in this flow it is actually optional to check the access token against the at_hash */ if ((apr_table_get(params, "access_token") != NULL) && (oidc_proto_validate_access_token(r, provider, *jwt, response_type, apr_table_get(params, "access_token")) == FALSE)) return FALSE; return TRUE; } /* * helper function for implicit flows: shared code for "id_token token" and "id_token" */ static apr_byte_t oidc_proto_handle_implicit_flow(request_rec *r, oidc_cfg *c, const char *response_type, json_t *proto_state, oidc_provider_t *provider, apr_table_t *params, const char *response_mode, apr_jwt_t **jwt) { if (oidc_proto_validate_response_type_and_response_mode(r, response_type, params, proto_state, response_mode, "fragment") == FALSE) return FALSE; if (oidc_proto_parse_idtoken_and_validate_code(r, c, proto_state, provider, response_type, params, jwt, TRUE) == FALSE) return FALSE; return TRUE; } /* * handle the "code id_token token" response type */ apr_byte_t oidc_proto_authorization_response_code_idtoken_token(request_rec *r, oidc_cfg *c, json_t *proto_state, oidc_provider_t *provider, apr_table_t *params, const char *response_mode, apr_jwt_t **jwt) { oidc_debug(r, "enter"); static const char *response_type = "code id_token token"; if (oidc_proto_handle_implicit_flow(r, c, response_type, proto_state, provider, params, response_mode, jwt) == FALSE) return FALSE; if (oidc_proto_validate_access_token(r, provider, *jwt, response_type, apr_table_get(params, "access_token")) == FALSE) return FALSE; /* clear parameters that should only be set from the token endpoint */ apr_table_unset(params, "refresh_token"); if (oidc_proto_resolve_code_and_validate_response(r, c, provider, response_type, params) == FALSE) return FALSE; return TRUE; } /* * handle the "id_token token" response type */ apr_byte_t oidc_proto_handle_authorization_response_idtoken_token( request_rec *r, oidc_cfg *c, json_t *proto_state, oidc_provider_t *provider, apr_table_t *params, const char *response_mode, apr_jwt_t **jwt) { oidc_debug(r, "enter"); static const char *response_type = "id_token token"; if (oidc_proto_handle_implicit_flow(r, c, response_type, proto_state, provider, params, response_mode, jwt) == FALSE) return FALSE; if (oidc_proto_validate_access_token(r, provider, *jwt, response_type, apr_table_get(params, "access_token")) == FALSE) return FALSE; /* clear parameters that should not be part of this flow */ apr_table_unset(params, "refresh_token"); return TRUE; } /* * handle the "id_token" response type */ apr_byte_t oidc_proto_handle_authorization_response_idtoken(request_rec *r, oidc_cfg *c, json_t *proto_state, oidc_provider_t *provider, apr_table_t *params, const char *response_mode, apr_jwt_t **jwt) { oidc_debug(r, "enter"); static const char *response_type = "id_token"; if (oidc_proto_handle_implicit_flow(r, c, response_type, proto_state, provider, params, response_mode, jwt) == FALSE) return FALSE; /* clear parameters that should not be part of this flow */ apr_table_unset(params, "token_type"); apr_table_unset(params, "expires_in"); apr_table_unset(params, "refresh_token"); return TRUE; } ����������������������������������������������������������������������������������������mod_auth_openidc-1.8.5/src/crypto.c�����������������������������������������������������������������0000644�0001750�0001750�00000015567�12532644156�017517� 0����������������������������������������������������������������������������������������������������ustar �zandbelt������������������������zandbelt���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ /*************************************************************************** * Copyright (C) 2013-2015 Ping Identity Corporation * All rights reserved. * * For further information please contact: * * Ping Identity Corporation * 1099 18th St Suite 2950 * Denver, CO 80202 * 303.468.2900 * http://www.pingidentity.com * * DISCLAIMER OF WARRANTIES: * * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * based on http://saju.net.in/code/misc/openssl_aes.c.txt * * @Author: Hans Zandbelt - hzandbelt@pingidentity.com */ #include