Merge branch 'pr3_defaulturl_t2' into pr_perdir_merge_t2

brandonk10 · Apr 15, 2023 · 48f4ed0 · 48f4ed0
2 parents 0374a68 + 9c6300c
commit 48f4ed0
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 16 deletions.
diff --git a/src/config.c b/src/config.c
@@ -284,6 +284,7 @@ typedef struct oidc_dir_cfg {
 	char *redirect_uri;
 	/* (optional) default URL to go to after logout */
 	char *default_slo_url;
+	char *default_sso_url;
 	char *cookie_path;
 	char *cookie;
 	char *authn_header;
@@ -1708,7 +1709,6 @@ void* oidc_create_server_config(apr_pool_t *pool, server_rec *svr) {
 
 	c->merged = FALSE;
 
-	c->default_sso_url = NULL;
 	c->public_keys = NULL;
 	c->private_keys = NULL;
 
@@ -1842,9 +1842,6 @@ void* oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) {
 
 	c->merged = TRUE;
 
-	c->default_sso_url =
-			add->default_sso_url != NULL ?
-					add->default_sso_url : base->default_sso_url;
 	c->public_keys = oidc_jwk_list_copy(pool,
 			add->public_keys != NULL ? add->public_keys : base->public_keys);
 	c->private_keys = oidc_jwk_list_copy(pool,
@@ -2189,6 +2186,7 @@ void* oidc_create_dir_config(apr_pool_t *pool, char *path) {
 	c->cookie_path = OIDC_CONFIG_STRING_UNSET;
 	c->authn_header = OIDC_CONFIG_STRING_UNSET;
 	c->unauth_action = OIDC_CONFIG_POS_INT_UNSET;
+	c->default_sso_url = NULL;
 #if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
 	c->unauth_expression = NULL;
 #endif
@@ -2227,6 +2225,15 @@ char* oidc_cfg_dir_discover_url(request_rec *r) {
 	return dir_cfg->discover_url;
 }
 
+char* oidc_cfg_dir_default_sso_url(request_rec *r) {
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+	if ((dir_cfg->default_sso_url == NULL) || (_oidc_strcmp(dir_cfg->default_sso_url,
+			OIDC_CONFIG_STRING_UNSET) == 0))
+		return NULL;
+	return dir_cfg->default_sso_url;
+}
+
 char* oidc_cfg_dir_cookie(request_rec *r) {
 	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
 			&auth_openidc_module);
@@ -2478,6 +2485,9 @@ void* oidc_merge_dir_config(apr_pool_t *pool, void *BASE, void *ADD) {
 	c->default_slo_url =
 			add->default_slo_url != NULL ?
 					add->default_slo_url : base->default_slo_url;
+	c->default_sso_url =
+			add->default_sso_url != NULL ?
+					add->default_sso_url : base->default_sso_url;
 #if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
 	c->unauth_expression =
 			add->unauth_expression != NULL ?
@@ -3386,9 +3396,9 @@ const command_rec oidc_config_cmds[] = {
 				RSRC_CONF | ACCESS_CONF | OR_AUTHCFG,
 				"Define the Redirect URI (e.g.: https://localhost:9031/protected/example/)"),
 		AP_INIT_TAKE1(OIDCDefaultURL,
-				oidc_set_url_slot,
-				(void *)APR_OFFSETOF(oidc_cfg, default_sso_url),
-				RSRC_CONF,
+				oidc_set_relative_or_absolute_url_slot_dir_cfg,
+				(void *)APR_OFFSETOF(oidc_dir_cfg, default_sso_url),
+				RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
 				"Defines the default URL where the user is directed to in case of 3rd-party initiated SSO."),
 		AP_INIT_TAKE1(OIDCDefaultLoggedOutURL,
 				oidc_set_relative_or_absolute_url_slot_dir_cfg,

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -656,7 +656,7 @@ static apr_byte_t oidc_restore_proto_state(request_rec *r, oidc_cfg *c,
 	/* check that the timestamp is not beyond the valid interval */
 	if (apr_time_now() > ts + apr_time_from_sec(c->state_timeout)) {
 		oidc_error(r, "state has expired");
-		if ((c->default_sso_url == NULL)
+		if ((oidc_cfg_dir_default_sso_url(r) == NULL)
 				|| (apr_table_get(r->subprocess_env,
 						"OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT") != NULL)) {
 			oidc_util_html_send_error(r, c->error_template,
@@ -2100,12 +2100,13 @@ static int oidc_handle_authorization_response(request_rec *r, oidc_cfg *c,
 	if (oidc_authorization_response_match_state(r, c,
 			apr_table_get(params, OIDC_PROTO_STATE), &provider,
 			&proto_state) == FALSE) {
-		if (c->default_sso_url != NULL) {
+		char *default_sso_url = oidc_cfg_dir_default_sso_url(r);
+		if (default_sso_url != NULL) {
 			oidc_warn(r,
 					"invalid authorization response state; a default SSO URL is set, sending the user there: %s",
-					c->default_sso_url);
-			oidc_util_hdr_out_location_set(r, c->default_sso_url);
-			//oidc_util_hdr_err_out_add(r, "Location", c->default_sso_url));
+					default_sso_url);
+			oidc_util_hdr_out_location_set(r, default_sso_url);
+			//oidc_util_hdr_err_out_add(r, "Location", default_sso_url));
 			return HTTP_MOVED_TEMPORARILY;
 		}
 		oidc_error(r,
@@ -2806,13 +2807,14 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
 			issuer, target_link_uri, login_hint, user);
 
 	if (target_link_uri == NULL) {
-		if (c->default_sso_url == NULL) {
+		char *default_sso_url = oidc_cfg_dir_default_sso_url(r);
+		if (default_sso_url == NULL) {
 			return oidc_util_html_send_error(r, c->error_template,
 					"Invalid Request",
 					"SSO to this module without specifying a \"target_link_uri\" parameter is not possible because " OIDCDefaultURL " is not set.",
 					HTTP_INTERNAL_SERVER_ERROR);
 		}
-		target_link_uri = c->default_sso_url;
+		target_link_uri = default_sso_url;
 	}
 
 	/* do open redirect prevention, step 1 */

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -380,8 +380,6 @@ typedef struct oidc_cfg {
 	/* HTML to display error messages+description */
 	char *error_template;
 
-	/* (optional) default URL for 3rd-party initiated SSO */
-	char *default_sso_url;
 
 	/* public keys in JWK format, used by parters for encrypting JWTs sent to us */
 	apr_array_header_t *public_keys;
@@ -773,6 +771,7 @@ int oidc_cfg_dir_pass_info_encoding(request_rec *r);
 apr_byte_t oidc_cfg_dir_pass_refresh_token(request_rec *r);
 apr_byte_t oidc_cfg_dir_accept_token_in(request_rec *r);
 char *oidc_cfg_dir_accept_token_in_option(request_rec *r, const char *key);
+char *oidc_cfg_dir_default_sso_url(request_rec *r);
 int oidc_cfg_token_introspection_interval(request_rec *r);
 int oidc_cfg_dir_preserve_post(request_rec *r);
 apr_array_header_t *oidc_dir_cfg_pass_cookies(request_rec *r);