Skip to content

Commit

Permalink
2.4.15rc6: add iat and exp claims to request object; closes #1137
Browse files Browse the repository at this point in the history
thanks @pasqualebarbaromind

Signed-off-by: Hans Zandbelt <[email protected]>
  • Loading branch information
zandbelt committed Nov 23, 2023
1 parent e8d5adc commit 474a78c
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 11 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
11/23/2023
- add iat and exp claims to request object; closes #1137
- bump to 2.4.15rc6

11/22/2023
- populate User-Agent header in outgoing HTTP requests with mod_auth_openidc, libcurl and OpenSSL
version information and log it for debugging purposes
Expand Down
2 changes: 2 additions & 0 deletions auth_openidc.conf
Original file line number Diff line number Diff line change
Expand Up @@ -976,6 +976,8 @@
# copy_from_request (array) : array of query parameter names copied from request
# copy_and_remove_from_request (array) : array of parameter names copied from request and removed as query parameter
# static (object) : parameter value is merged to the request object
# ttl (number) : number of seconds before the request object expires (default is 30 seconds)
# translates to the `exp` claim in the request object
# crypto (object) : defines cryptography used to create request object
# sign_alg (string) : algorithm used to sign request object (JWS alg parameter)
# crypt_alg (string) : algorithm used to encrypt CEK of request object (JWE alg parameter)
Expand Down
2 changes: 1 addition & 1 deletion configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_auth_openidc],[2.4.15rc5],[[email protected]])
AC_INIT([mod_auth_openidc],[2.4.15rc6],[[email protected]])

AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())

Expand Down
2 changes: 0 additions & 2 deletions src/mod_auth_openidc.h
Original file line number Diff line number Diff line change
Expand Up @@ -245,8 +245,6 @@ APLOG_USE_MODULE(auth_openidc);
#define OIDC_UNAUTZ_AUTHENTICATE 3
#define OIDC_UNAUTZ_RETURN302 4

#define OIDC_REQUEST_URI_CACHE_DURATION 30

#define OIDC_USER_INFO_TOKEN_METHOD_HEADER 0
#define OIDC_USER_INFO_TOKEN_METHOD_POST 1

Expand Down
25 changes: 17 additions & 8 deletions src/proto.c
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,8 @@ apr_byte_t oidc_proto_generate_random_string(request_rec *r, char **output,

#define OIDC_REQUEST_OJBECT_COPY_FROM_REQUEST "copy_from_request"
#define OIDC_REQUEST_OJBECT_COPY_AND_REMOVE_FROM_REQUEST "copy_and_remove_from_request"
#define OIDC_REQUEST_OJBECT_TTL "ttl"
#define OIDC_REQUEST_OBJECT_TTL_DEFAULT 30

/*
* indicates wether a request parameter from the authorization request needs to be
Expand Down Expand Up @@ -282,9 +284,9 @@ apr_byte_t oidc_proto_get_encryption_jwk_by_type(request_rec *r, oidc_cfg *cfg,
/*
* generate a request object
*/
char* oidc_proto_create_request_object(request_rec *r,
static char* oidc_proto_create_request_object(request_rec *r,
struct oidc_provider_t *provider, json_t *request_object_config,
apr_table_t *params) {
apr_table_t *params, int ttl) {

oidc_jwk_t *sjwk = NULL;
int jwk_needs_destroy = 0;
Expand All @@ -297,11 +299,15 @@ char* oidc_proto_create_request_object(request_rec *r,
/* create the request object value */
oidc_jwt_t *request_object = oidc_jwt_new(r->pool, TRUE, TRUE);

/* set basic values: iss and aud */
/* set basic values: iss, aud, iat and exp */
json_object_set_new(request_object->payload.value.json, OIDC_CLAIM_ISS,
json_string(provider->client_id));
json_object_set_new(request_object->payload.value.json, OIDC_CLAIM_AUD,
json_string(provider->issuer));
json_object_set_new(request_object->payload.value.json, OIDC_CLAIM_IAT,
json_integer(apr_time_sec(apr_time_now())));
json_object_set_new(request_object->payload.value.json, OIDC_CLAIM_EXP,
json_integer(apr_time_sec(apr_time_now()) + ttl));

/* add static values to the request object as configured in the .conf file; may override iss/aud */
oidc_util_json_merge(r, json_object_get(request_object_config, "static"),
Expand Down Expand Up @@ -476,7 +482,7 @@ char* oidc_proto_create_request_object(request_rec *r,
*/
static char* oidc_proto_create_request_uri(request_rec *r,
struct oidc_provider_t *provider, json_t *request_object_config,
const char *redirect_uri, apr_table_t *params) {
const char *redirect_uri, apr_table_t *params, int ttl) {

oidc_debug(r, "enter");

Expand All @@ -490,7 +496,7 @@ static char* oidc_proto_create_request_uri(request_rec *r,
resolver_url = apr_pstrdup(r->pool, redirect_uri);

char *serialized_request_object = oidc_proto_create_request_object(r,
provider, request_object_config, params);
provider, request_object_config, params, ttl);

/* generate a temporary reference, store the request object in the cache and generate a Request URI that references it */
char *request_uri = NULL;
Expand All @@ -499,7 +505,7 @@ static char* oidc_proto_create_request_uri(request_rec *r,
if (oidc_proto_generate_random_string(r, &request_ref, 16) == TRUE) {
oidc_cache_set_request_uri(r, request_ref,
serialized_request_object,
apr_time_now() + apr_time_from_sec(OIDC_REQUEST_URI_CACHE_DURATION));
apr_time_now() + apr_time_from_sec(ttl));
request_uri = apr_psprintf(r->pool, "%s?%s=%s", resolver_url,
OIDC_PROTO_REQUEST_URI, oidc_util_escape_string(r, request_ref));
}
Expand Down Expand Up @@ -550,15 +556,18 @@ static void oidc_proto_add_request_param(request_rec *r,

/* create request value */
char *value = NULL;
int ttl = OIDC_REQUEST_OBJECT_TTL_DEFAULT;
oidc_json_object_get_int(request_object_config, "ttl", &ttl,
OIDC_REQUEST_OBJECT_TTL_DEFAULT);
if (_oidc_strcmp(parameter, OIDC_PROTO_REQUEST_URI) == 0) {
/* parameter is "request_uri" */
value = oidc_proto_create_request_uri(r, provider,
request_object_config, redirect_uri, params);
request_object_config, redirect_uri, params, ttl);
apr_table_set(params, OIDC_PROTO_REQUEST_URI, value);
} else {
/* parameter is "request" */
value = oidc_proto_create_request_object(r, provider,
request_object_config, params);
request_object_config, params, ttl);
apr_table_set(params, OIDC_PROTO_REQUEST_OBJECT, value);
}
}
Expand Down

0 comments on commit 474a78c

Please sign in to comment.