finish merge

ChangeLog

@@ -1,3 +1,14 @@
+07/25/2023
+- support "authenticate_on_error" 2nd parameter value in OIDCRefreshAccessTokenBeforeExpiry 
+  to reauthenticate the user when refreshing the access token fails
+  see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1084; thanks @xrammit
+- add logout_on_error and authenticate_on_error 2nd parameter option to OIDCUserInfoRefreshInterval
+- bump to 2.4.14.3rc4
+
+07/18/2023
+- allow relative values in OIDCDefaultURL and OIDCDefaultLoggedOutURL
+- bump to 2.4.14.3rc3
+
 07/14/2023
 - fix session updates on userinfo requests; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1077
   this bug was introduced in v2.4.11 with d9fff154ee6ee8a7e4e969dd6a68cbaf18354598

auth_openidc.conf

@@ -180,7 +180,9 @@
 # to refresh the access token using the refresh token grant, after which a second attempt is made
 # to obtain claims from the userinfo endpoint with the new access token.
 # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval
-#OIDCUserInfoRefreshInterval <seconds>
+# The optional logout_on_error flag will make the user logout the current local session if the userinfo request fails.
+# The optional authenticate_on_error flag sends the user for authentication when the userinfo request fails.
+#OIDCUserInfoRefreshInterval <seconds> [ logout_on_error | authenticate_on_error ]
 
 # The refresh interval in seconds for the JWKs key set obtained from the jwks_uri and signed_jwks_uri.
 # When not defined the default is 3600 seconds.
@@ -1016,7 +1018,8 @@
 # was returned as part of the authorization response (and subsequent refresh token responses).
 # When not defined no attempt is made to refresh the access token (unless implicitly with OIDCUserInfoRefreshInterval)
 # The optional logout_on_error flag makes the refresh logout the current local session if the refresh fails.
-#OIDCRefreshAccessTokenBeforeExpiry <seconds> [logout_on_error]
+# The optional authenticate_on_error flag sends the user for authentication when the refresh fails.
+#OIDCRefreshAccessTokenBeforeExpiry <seconds> [logout_on_error | authenticate_on_error]
 
 # Defines whether the value of the User-Agent and X-Forwarded-For headers will be used as the input
 # for calculating the fingerprint of the state during authentication.

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.14.3rc2],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.14.3rc4],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/cache/memcache.c

@@ -50,17 +50,10 @@
 
 extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
 
-
-#if AP_MODULE_MAGIC_AT_LEAST(20120211, 125)
-#include <mod_http2.h>
-#else
 /*
- * Copy and paste from mod_http2.h where mod_http2.h is not available
+ * avoid including mod_http2.h (assume the function signature is stable)
  */
-APR_DECLARE_OPTIONAL_FN(void,
-						http2_get_num_workers, (server_rec *s,
-												int *minw, int *max));
-#endif
+APR_DECLARE_OPTIONAL_FN(void, http2_get_num_workers, (server_rec *s, int *minw, int *max));
 
 typedef struct oidc_cache_cfg_memcache_t {
 	/* cache_type = memcache: memcache ptr */

src/config.c

@@ -164,6 +164,8 @@
 #define OIDC_DEFAULT_PASS_USERINFO_AS OIDC_PASS_USERINFO_AS_CLAIMS_STR
 /* default pass id_token as */
 #define OIDC_DEFAULT_PASS_IDTOKEN_AS OIDC_PASS_IDTOKEN_AS_CLAIMS
+/* default action to be taken on access token refresh error */
+#define OIDC_DEFAULT_ON_ERROR_REFRESH OIDC_ON_ERROR_CONTINUE;
 
 #define OIDCProviderMetadataURL                "OIDCProviderMetadataURL"
 #define OIDCProviderIssuer                     "OIDCProviderIssuer"
@@ -312,7 +314,8 @@ typedef struct oidc_dir_cfg {
 	oidc_apr_expr_t *unauth_expression;
 	oidc_apr_expr_t *userinfo_claims_expr;
 	int refresh_access_token_before_expiry;
-	int logout_on_error_refresh;
+	int action_on_error_refresh;
+	int action_on_userinfo_refresh;
 	char *state_cookie_prefix;
 	apr_array_header_t *pass_userinfo_as;
 	int pass_idtoken_as;
@@ -442,6 +445,8 @@ static const char* oidc_set_url_slot(cmd_parms *cmd, void *ptr, const char *arg)
 	return oidc_set_url_slot_type(cmd, cfg, arg, NULL);
 }
 
+
+
 /*
  * set a relative or absolute URL value in a config rec
  */
@@ -463,6 +468,16 @@ static const char* oidc_set_relative_or_absolute_url_slot_dir_cfg(
 	}
 }
 
+/*
+ * set a relative or absolute URL value in the server config
+ */
+static const char* oidc_set_relative_or_absolute_url_slot(cmd_parms *cmd,
+		void *ptr, const char *arg) {
+	oidc_cfg *cfg = (oidc_cfg*) ap_get_module_config(cmd->server->module_config,
+			&auth_openidc_module);
+	return oidc_set_relative_or_absolute_url_slot_dir_cfg(cmd, cfg, arg);
+}
+
 /*
  * set a directory value in the server config
  */
@@ -1168,11 +1183,15 @@ static const char* oidc_set_idtoken_iat_slack(cmd_parms *cmd, void *struct_ptr,
  * set the userinfo refresh interval
  */
 static const char* oidc_set_userinfo_refresh_interval(cmd_parms *cmd,
-		void *struct_ptr, const char *arg) {
+		void *struct_ptr, const char *arg1, const char *arg2) {
 	oidc_cfg *cfg = (oidc_cfg*) ap_get_module_config(cmd->server->module_config,
 			&auth_openidc_module);
-	const char *rv = oidc_parse_userinfo_refresh_interval(cmd->pool, arg,
+	const char *rv = oidc_parse_userinfo_refresh_interval(cmd->pool, arg1,
 			&cfg->provider.userinfo_refresh_interval);
+	if ((rv == NULL) && (arg2)) {
+		rv = oidc_parse_action_on_error_refresh_as(cmd->pool, arg2,
+				&cfg->action_on_userinfo_error);
+	}
 	return OIDC_CONFIG_DIR_RV(cmd, rv);
 }
 
@@ -1309,8 +1328,8 @@ static const char* oidc_set_refresh_access_token_before_expiry(cmd_parms *cmd,
 				cmd->directive->directive, rv1);
 
 	if (arg2) {
-		const char *rv2 = oidc_parse_logout_on_error_refresh_as(cmd->pool, arg2,
-				&dir_cfg->logout_on_error_refresh);
+		const char *rv2 = oidc_parse_action_on_error_refresh_as(cmd->pool, arg2,
+				&dir_cfg->action_on_error_refresh);
 		return OIDC_CONFIG_DIR_RV(cmd, rv2);
 	}
 
@@ -1404,12 +1423,12 @@ int oidc_cfg_dir_refresh_access_token_before_expiry(request_rec *r) {
 	return dir_cfg->refresh_access_token_before_expiry;
 }
 
-int oidc_cfg_dir_logout_on_error_refresh(request_rec *r) {
+int oidc_cfg_dir_action_on_error_refresh(request_rec *r) {
 	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
 			&auth_openidc_module);
-	if (dir_cfg->logout_on_error_refresh == OIDC_CONFIG_POS_INT_UNSET)
-		return 0; // no mask
-	return dir_cfg->logout_on_error_refresh;
+	if (dir_cfg->action_on_error_refresh == OIDC_CONFIG_POS_INT_UNSET)
+		return OIDC_DEFAULT_ON_ERROR_REFRESH;
+	return dir_cfg->action_on_error_refresh;
 }
 
 char* oidc_cfg_dir_state_cookie_prefix(request_rec *r) {
@@ -1808,6 +1827,7 @@ void* oidc_create_server_config(apr_pool_t *pool, server_rec *svr) {
 	c->ca_bundle_path = NULL;
 	c->logout_x_frame_options = NULL;
 	c->x_forwarded_headers = OIDC_DEFAULT_X_FORWARDED_HEADERS;
+	c->action_on_userinfo_error = OIDC_ON_ERROR_CONTINUE;
 
 	return c;
 }
@@ -2124,6 +2144,11 @@ void* oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) {
 			add->x_forwarded_headers != OIDC_DEFAULT_X_FORWARDED_HEADERS ?
 					add->x_forwarded_headers : base->x_forwarded_headers;
 
+	c->action_on_userinfo_error =
+			add->action_on_userinfo_error != OIDC_ON_ERROR_CONTINUE ?
+					add->action_on_userinfo_error :
+					base->action_on_userinfo_error;
+
 	return c;
 }
 
@@ -2183,7 +2208,7 @@ void* oidc_create_dir_config(apr_pool_t *pool, char *path) {
 	c->path_scope_expr = NULL;
 	c->userinfo_claims_expr = NULL;
 	c->refresh_access_token_before_expiry = OIDC_CONFIG_POS_INT_UNSET;
-	c->logout_on_error_refresh = OIDC_CONFIG_POS_INT_UNSET;
+	c->action_on_error_refresh = OIDC_CONFIG_POS_INT_UNSET;
 	c->state_cookie_prefix = OIDC_CONFIG_STRING_UNSET;
 	c->pass_userinfo_as = NULL;
 	c->pass_idtoken_as = OIDC_CONFIG_POS_INT_UNSET;
@@ -2521,10 +2546,10 @@ void* oidc_merge_dir_config(apr_pool_t *pool, void *BASE, void *ADD) {
 					add->refresh_access_token_before_expiry :
 					base->refresh_access_token_before_expiry;
 
-	c->logout_on_error_refresh =
-			add->logout_on_error_refresh != OIDC_CONFIG_POS_INT_UNSET ?
-					add->logout_on_error_refresh :
-					base->logout_on_error_refresh;
+	c->action_on_error_refresh =
+			add->action_on_error_refresh != OIDC_CONFIG_POS_INT_UNSET ?
+					add->action_on_error_refresh :
+					base->action_on_error_refresh;
 
 	c->state_cookie_prefix =
 			(_oidc_strcmp(add->state_cookie_prefix, OIDC_CONFIG_STRING_UNSET)
@@ -2595,6 +2620,7 @@ static int oidc_check_config_error(server_rec *s, const char *config_str) {
 	return HTTP_INTERNAL_SERVER_ERROR;
 }
 
+
 /*
  * check the config required for the OpenID Connect RP role
  */
@@ -3682,7 +3708,7 @@ const command_rec oidc_config_cmds[] = {
 				NULL,
 				RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
 				"The method in which an OAuth token can be presented; must be one or more of: header|post|query|cookie"),
-		AP_INIT_TAKE1(OIDCUserInfoRefreshInterval,
+		AP_INIT_TAKE12(OIDCUserInfoRefreshInterval,
 				oidc_set_userinfo_refresh_interval,
 				(void*)APR_OFFSETOF(oidc_cfg, provider.userinfo_refresh_interval),
 				RSRC_CONF,
@@ -3752,7 +3778,7 @@ const command_rec oidc_config_cmds[] = {
 				oidc_set_refresh_access_token_before_expiry,
 				(void *)APR_OFFSETOF(oidc_dir_cfg, refresh_access_token_before_expiry),
 				RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
-				"Ensure the access token is valid for at least <x> seconds by refreshing it if required; must be: <x> [logout_on_error]; the logout_on_error performs a logout on refresh error."),
+				"Ensure the access token is valid for at least <x> seconds by refreshing it if required; must be: <x> [logout_on_error|authenticate_on_error]; the logout_on_error performs a logout on refresh error."),
 
 		AP_INIT_TAKE1(OIDCStateInputHeaders,
 				oidc_set_state_input_headers_as,

src/metadata.c

@@ -587,7 +587,8 @@ static apr_byte_t oidc_metadata_client_register(request_rec *r, oidc_cfg *cfg,
 	char *default_slo_url = oidc_cfg_dir_default_slo_url(r);
 	if (default_slo_url != NULL) {
 		json_object_set_new(data, OIDC_METADATA_POST_LOGOUT_REDIRECT_URIS,
-				json_pack("[s]", default_slo_url));
+				json_pack("[s]",
+						oidc_get_absolute_url(r, cfg, default_slo_url)));
 	}
 
 	/* add any custom JSON in to the registration request */