/*
* check if a particular OpenID Connect flow is supported
*/
apr_byte_t oidc_proto_flow_is_supported(apr_pool_t *pool, const char *flow) {
apr_array_header_t *flows = oidc_proto_supported_flows(pool);
int i;
for (i = 0; i < flows->nelts; i++) {
if (oidc_util_spaced_string_equals(pool, flow,
((const char**) flows->elts)[i]))
return TRUE;
}
return FALSE;
}
/*
* check a hash value in the id_token against the corresponding hash calculated over a provided value
*/
static apr_byte_t oidc_proto_validate_hash_value(request_rec *r,
oidc_provider_t *provider, apr_jwt_t *jwt, const char *response_type,
const char *value, const char *key,
apr_array_header_t *required_for_flows) {
/*
* get the hash value from the id_token
*/
char *hash = NULL;
apr_jwt_get_string(r->pool, &jwt->payload.value, key, &hash);
/*
* check if the hash was present
*/
if (hash == NULL) {
/* no hash..., now see if the flow required it */
int i;
for (i = 0; i < required_for_flows->nelts; i++) {
if (oidc_util_spaced_string_equals(r->pool, response_type,
((const char**) required_for_flows->elts)[i])) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"oidc_proto_validate_hash_value: flow is \"%s\", but no %s found in id_token",
response_type, key);
return FALSE;
}
}
/* no hash but it was not required anyway */
return TRUE;
}
/*
* we have a hash, validate it and return the result
*/
return oidc_proto_validate_hash(r, jwt->header.alg, hash, value, key);
}
