Skip to content

Commit

Permalink
fix SSL server certificate validation in oidc_revoke_tokens
Browse files Browse the repository at this point in the history
see #1141; thanks
@mschmidt72; bump to 2.4.15rc7

Signed-off-by: Hans Zandbelt <[email protected]>
  • Loading branch information
zandbelt committed Nov 30, 2023
1 parent 71e551c commit 7624c40
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 3 deletions.
6 changes: 6 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
11/30/2023
- fix SSL server certificate validation when revoking tokens
apply `OIDCSSLValidateServer` setting rather than `OIDCOAuthSSLValidateServer` in `oidc_revoke_tokens`
see https://github.com/OpenIDC/mod_auth_openidc/discussions/1141; thanks @mschmidt72
- bump to 2.4.15rc7

11/27/2023
- use clang-format-17 for code formatting and reformat all code

Expand Down
2 changes: 1 addition & 1 deletion configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_auth_openidc],[2.4.15rc6],[[email protected]])
AC_INIT([mod_auth_openidc],[2.4.15rc7],[[email protected]])

AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())

Expand Down
4 changes: 2 additions & 2 deletions src/mod_auth_openidc.c
Original file line number Diff line number Diff line change
Expand Up @@ -2951,7 +2951,7 @@ static void oidc_revoke_tokens(request_rec *r, oidc_cfg *c, oidc_session_t *sess
apr_table_setn(params, OIDC_PROTO_TOKEN, token);

if (oidc_util_http_post_form(r, provider->revocation_endpoint_url, params, basic_auth, bearer_auth,
c->oauth.ssl_validate_server, &response, &c->http_timeout_long,
c->provider.ssl_validate_server, &response, &c->http_timeout_long,
&c->outgoing_proxy, oidc_dir_cfg_pass_cookies(r), NULL, NULL,
NULL) == FALSE) {
oidc_warn(r, "revoking refresh token failed");
Expand All @@ -2966,7 +2966,7 @@ static void oidc_revoke_tokens(request_rec *r, oidc_cfg *c, oidc_session_t *sess
apr_table_setn(params, OIDC_PROTO_TOKEN, token);

if (oidc_util_http_post_form(r, provider->revocation_endpoint_url, params, basic_auth, bearer_auth,
c->oauth.ssl_validate_server, &response, &c->http_timeout_long,
c->provider.ssl_validate_server, &response, &c->http_timeout_long,
&c->outgoing_proxy, oidc_dir_cfg_pass_cookies(r), NULL, NULL,
NULL) == FALSE) {
oidc_warn(r, "revoking access token failed");
Expand Down

0 comments on commit 7624c40

Please sign in to comment.