Merge branch 'OpenIDC:master' into pr_perdir_merge_t2

brandonk10 · Jul 15, 2023 · 206bed6 · 206bed6
2 parents e51c252 + 31c3109
commit 206bed6
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 4 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+07/14/2023
+- fix session updates on userinfo requests; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1077
+  this bug was introduced in v2.4.11 with d9fff154ee6ee8a7e4e969dd6a68cbaf18354598
+- bump to 2.4.14.3rc2
+
 07/12/2023
 - add a sanity alg/enc check on self-encrypted AES GCM JWTs
 - add `OIDCPassAccessToken Off` option to disable (the default of) passing the access token and its expiry

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.14.3rc1],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.14.3rc2],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -4141,6 +4141,11 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
 		// need to establish user/claims for authorization purposes
 		rc = oidc_handle_existing_session(r, c, session, &needs_save);
 
+		// retain this session across the authentication hand content handler phases
+		// by storing it in the request state
+		apr_pool_userdata_set(session, OIDC_USERDATA_SESSION, NULL, r->pool);
+
+		// record whether the session was modified and needs to be saved in the cache
 		if (needs_save)
 			oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_SAVE, "");
 
@@ -4240,7 +4245,7 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {
 	apr_byte_t needs_save = FALSE;
 
 	/* load the session from the request state; this will be a new "empty" session if no state exists */
-	oidc_session_t *session = NULL;
+	oidc_session_t *session = NULL, *retain = NULL;
 	oidc_session_load(r, &session);
 
 	/* see if the initial request is to the redirect URI; this handles potential logout too */
@@ -4249,8 +4254,12 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {
 		/* handle request to the redirect_uri */
 		rc = oidc_handle_redirect_uri_request(r, c, session);
 
+		/* see if the session needs to be retained for the content handler phase */
+		apr_pool_userdata_get((void**) &retain, OIDC_USERDATA_SESSION, r->pool);
+
 		/* free resources allocated for the session */
-		oidc_session_free(r, session);
+		if (retain == NULL)
+			oidc_session_free(r, session);
 
 		return rc;
 
@@ -4651,8 +4660,17 @@ int oidc_content_handler(request_rec *r) {
 		if (oidc_util_request_has_parameter(r,
 				OIDC_REDIRECT_URI_REQUEST_INFO)) {
 
-			oidc_session_load(r, &session);
+			/* see if a session was retained in the request state */
+			apr_pool_userdata_get((void**) &session, OIDC_USERDATA_SESSION, r->pool);
 
+			/* if no retained session was found, load it from the cache or create a new one*/
+			if (session == NULL)
+				oidc_session_load(r, &session);
+
+			/*
+			 * see if the request state indicates that the (retained)
+			 * session was modified and needs to be updated in the cach
+			 */
 			needs_save = (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_SAVE)
 					!= NULL);
 

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -196,6 +196,7 @@ APLOG_USE_MODULE(auth_openidc);
 
 /* the (global) key for the mod_auth_openidc related state that is stored in the request userdata context */
 #define OIDC_USERDATA_KEY "mod_auth_openidc_state"
+#define OIDC_USERDATA_SESSION "mod_auth_openidc_session"
 #define OIDC_USERDATA_POST_PARAMS_KEY "oidc_userdata_post_params"
 
 /* input filter hook name */