/*
* parse the JSON client metadata in to a oidc_provider_t struct
*/
apr_byte_t oidc_metadata_client_parse(request_rec *r, oidc_cfg *cfg,
json_t *j_client, oidc_provider_t *provider) {
/* get a handle to the client_id we need to use for this provider */
oidc_json_object_get_string(r->pool, j_client, "client_id",
&provider->client_id, NULL);
/* get a handle to the client_secret we need to use for this provider */
oidc_json_object_get_string(r->pool, j_client, "client_secret",
&provider->client_secret, NULL);
/* see if the token endpoint auth method defined in the client metadata overrides the provider one */
char *token_endpoint_auth = NULL;
oidc_json_object_get_string(r->pool, j_client, "token_endpoint_auth_method",
&token_endpoint_auth, NULL);
if (token_endpoint_auth != NULL) {
if ((apr_strnatcmp(token_endpoint_auth, "client_secret_post") == 0)
|| (apr_strnatcmp(token_endpoint_auth, "client_secret_basic")
== 0)) {
provider->token_endpoint_auth = apr_pstrdup(r->pool,
token_endpoint_auth);
} else {
oidc_warn(r,
"unsupported client auth method \"%s\" in client metadata for entry \"token_endpoint_auth_method\"",
token_endpoint_auth);
}
}
/* determine the response type if not set by .conf */
if (provider->response_type == NULL) {
provider->response_type = cfg->provider.response_type;
/* "response_types" is an array in the client metadata as by spec */
json_t *j_response_types = json_object_get(j_client, "response_types");
if ((j_response_types != NULL) && (json_is_array(j_response_types))) {
/* if there's an array we'll prefer the configured response_type if supported */
if (oidc_util_json_array_has_value(r, j_response_types,
provider->response_type) == FALSE) {
/* if the configured response_type is not supported, we'll fallback to the first one that is listed */
json_t *j_response_type = json_array_get(j_response_types, 0);
if (json_is_string(j_response_type)) {
provider->response_type = apr_pstrdup(r->pool,
json_string_value(j_response_type));
}
}
}
}
return TRUE;
}
/*
* validate the "aud" and "azp" claims in the id_token payload
*/
static apr_byte_t oidc_proto_validate_aud_and_azp(request_rec *r, oidc_cfg *cfg,
oidc_provider_t *provider, apr_jwt_payload_t *id_token_payload) {
char *azp = NULL;
apr_jwt_get_string(r->pool, &id_token_payload->value, "azp", &azp);
/*
* the "azp" claim is only needed when the id_token has a single audience value and that audience
* is different than the authorized party; it MAY be included even when the authorized party is
* the same as the sole audience.
*/
if ((azp != NULL) && (apr_strnatcmp(azp, provider->client_id) != 0)) {
oidc_error(r,
"the \"azp\" claim (%s) is present in the id_token, but is not equal to the configured client_id (%s)",
azp, provider->client_id);
return FALSE;
}
/* get the "aud" value from the JSON payload */
json_t *aud = json_object_get(id_token_payload->value.json, "aud");
if (aud != NULL) {
/* check if it is a single-value */
if (json_is_string(aud)) {
/* a single-valued audience must be equal to our client_id */
if (apr_strnatcmp(json_string_value(aud), provider->client_id)
!= 0) {
oidc_error(r,
"the configured client_id (%s) did not match the \"aud\" claim value (%s) in the id_token",
provider->client_id, json_string_value(aud));
return FALSE;
}
/* check if this is a multi-valued audience */
} else if (json_is_array(aud)) {
if ((json_array_size(aud) > 1) && (azp == NULL)) {
oidc_debug(r,
"the \"aud\" claim value in the id_token is an array with more than 1 element, but \"azp\" claim is not present (a SHOULD in the spec...)");
}
if (oidc_util_json_array_has_value(r, aud,
provider->client_id) == FALSE) {
oidc_error(r,
"our configured client_id (%s) could not be found in the array of values for \"aud\" claim",
provider->client_id);
return FALSE;
}
} else {
oidc_error(r,
"id_token JSON payload \"aud\" claim is not a string nor an array");
return FALSE;
}
} else {
oidc_error(r, "id_token JSON payload did not contain an \"aud\" claim");
return FALSE;
}
return TRUE;
}
