/* * save a session to cache/cookie */ apr_byte_t oidc_session_save(request_rec *r, oidc_session_t *z, apr_byte_t first_time) { oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); apr_byte_t rc = FALSE; const char *p_tb_id = oidc_util_get_provided_token_binding_id(r); if (z->state != NULL) { oidc_session_set(r, z, OIDC_SESSION_REMOTE_USER_KEY, z->remote_user); json_object_set_new(z->state, OIDC_SESSION_EXPIRY_KEY, json_integer(apr_time_sec(z->expiry))); if ((first_time) && (p_tb_id != NULL)) { oidc_debug(r, "Provided Token Binding ID environment variable found; adding its value to the session state"); oidc_session_set(r, z, OIDC_SESSION_PROVIDED_TOKEN_BINDING_KEY, p_tb_id); } } if (c->session_type == OIDC_SESSION_TYPE_SERVER_CACHE) /* store the session in the cache */ rc = oidc_session_save_cache(r, z, first_time); /* if we get here we configured client-cookie or saving in the cache failed */ if ((c->session_type == OIDC_SESSION_TYPE_CLIENT_COOKIE) || ((rc == FALSE) && oidc_cfg_session_cache_fallback_to_cookie(r))) /* store the session in a self-contained cookie */ rc = oidc_session_save_cookie(r, z, first_time); return rc; }
apr_status_t oidc_session_save(request_rec *r, session_rec *z) { oidc_session_set(r, z, OIDC_SESSION_REMOTE_USER_KEY, z->remote_user); char key[APR_UUID_FORMATTED_LENGTH + 1]; apr_uuid_format((char *) &key, z->uuid); oidc_debug(r, "%s", key); oidc_session_set(r, z, OIDC_SESSION_UUID_KEY, key); return ap_session_save_fn(r, z); }
/* * access token expires */ void oidc_session_set_access_token_expires(request_rec *r, oidc_session_t *z, const int expires_in) { if (expires_in != -1) { oidc_session_set(r, z, OIDC_SESSION_KEY_ACCESSTOKEN_EXPIRES, apr_psprintf(r->pool, "%" APR_TIME_T_FMT, apr_time_sec(apr_time_now()) + expires_in)); } }
void oidc_session_set_filtered_claims(request_rec *r, oidc_session_t *z, const char *session_key, const char *claims) { oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); const char *name; json_t *src = NULL, *dst = NULL, *value = NULL; void *iter = NULL; apr_byte_t is_allowed; if (oidc_util_decode_json_object(r, claims, &src) == FALSE) return; dst = json_object(); iter = json_object_iter(src); while (iter) { is_allowed = TRUE; name = json_object_iter_key(iter); value = json_object_iter_value(iter); if ((c->black_listed_claims != NULL) && (apr_hash_get(c->black_listed_claims, name, APR_HASH_KEY_STRING) != NULL)) { oidc_debug(r, "removing blacklisted claim [%s]: '%s'", session_key, name); is_allowed = FALSE; } if ((is_allowed == TRUE) && (c->white_listed_claims != NULL) && (apr_hash_get(c->white_listed_claims, name, APR_HASH_KEY_STRING) == NULL)) { oidc_debug(r, "removing non-whitelisted claim [%s]: '%s'", session_key, name); is_allowed = FALSE; } if (is_allowed == TRUE) json_object_set(dst, name, value); iter = json_object_iter_next(src, iter); } char *filtered_claims = oidc_util_encode_json_object(r, dst, JSON_COMPACT); json_decref(dst); json_decref(src); oidc_session_set(r, z, session_key, filtered_claims); }
/* * save the session to the cache using a cookie for the index */ static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z, apr_byte_t first_time) { oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module); apr_byte_t rc = TRUE; if (z->state != NULL) { if (apr_strnatcmp(z->uuid, "") == 0) { /* get a new uuid for this session */ oidc_session_uuid_new(r, z); /* store the session id in the cache value so it allows us to detect cache corruption */ oidc_session_set(r, z, OIDC_SESSION_SESSION_ID, z->uuid); } /* store the string-encoded session in the cache; encryption depends on cache backend settings */ char *s_value = NULL; if (oidc_session_encode(r, c, z, &s_value, FALSE) == FALSE) return FALSE; rc = oidc_cache_set_session(r, z->uuid, s_value, z->expiry); if (rc == TRUE) /* set the uuid in the cookie */ oidc_util_set_cookie(r, oidc_cfg_dir_cookie(r), z->uuid, c->persistent_session_cookie ? z->expiry : -1, c->cookie_same_site ? (first_time ? OIDC_COOKIE_EXT_SAME_SITE_LAX : OIDC_COOKIE_EXT_SAME_SITE_STRICT) : NULL); } else { /* clear the cookie */ oidc_util_set_cookie(r, oidc_cfg_dir_cookie(r), "", 0, NULL); /* remove the session from the cache */ rc = oidc_cache_set_session(r, z->uuid, NULL, 0); } return rc; }
/* * logout endpoint URL */ void oidc_session_set_logout_endpoint(request_rec *r, oidc_session_t *z, const char *logout_endpoint) { oidc_session_set(r, z, OIDC_SESSION_KEY_LOGOUT_ENDPOINT, logout_endpoint); }
/* * check session iframe URL */ void oidc_session_set_check_session_iframe(request_rec *r, oidc_session_t *z, const char *check_session_iframe) { oidc_session_set(r, z, OIDC_SESSION_KEY_CHECK_SESSION_IFRAME, check_session_iframe); }
/* * client_id */ void oidc_session_set_client_id(request_rec *r, oidc_session_t *z, const char *client_id) { oidc_session_set(r, z, OIDC_SESSION_KEY_CLIENT_ID, client_id); }
/* * issuer */ void oidc_session_set_issuer(request_rec *r, oidc_session_t *z, const char *issuer) { oidc_session_set(r, z, OIDC_SESSION_KEY_ISSUER, issuer); }
/* * session state */ void oidc_session_set_session_state(request_rec *r, oidc_session_t *z, const char *session_state) { oidc_session_set(r, z, OIDC_SESSION_KEY_SESSION_STATE, session_state); }
/* * original url */ void oidc_session_set_original_url(request_rec *r, oidc_session_t *z, const char *original_url) { oidc_session_set(r, z, OIDC_SESSION_KEY_ORIGINAL_URL, original_url); }
/* * cookie domain */ void oidc_session_set_cookie_domain(request_rec *r, oidc_session_t *z, const char *cookie_domain) { oidc_session_set(r, z, OIDC_SESSION_KEY_COOKIE_DOMAIN, cookie_domain); }
/* * refresh token */ void oidc_session_set_refresh_token(request_rec *r, oidc_session_t *z, const char *refresh_token) { oidc_session_set(r, z, OIDC_SESSION_KEY_REFRESH_TOKEN, refresh_token); }
/* * access token */ void oidc_session_set_access_token(request_rec *r, oidc_session_t *z, const char *access_token) { oidc_session_set(r, z, OIDC_SESSION_KEY_ACCESSTOKEN, access_token); }
/* * compact serialized id_token */ void oidc_session_set_idtoken(request_rec *r, oidc_session_t *z, const char *s_id_token) { oidc_session_set(r, z, OIDC_SESSION_KEY_IDTOKEN, s_id_token); }
void oidc_session_set_userinfo_jwt(request_rec *r, oidc_session_t *z, const char *s_userinfo_jwt) { oidc_session_set(r, z, OIDC_SESSION_KEY_USERINFO_JWT, s_userinfo_jwt); }
static void oidc_session_set_timestamp(request_rec *r, oidc_session_t *z, const char *key, const apr_time_t timestamp) { if (timestamp != -1) oidc_session_set(r, z, key, apr_psprintf(r->pool, "%" APR_TIME_T_FMT, timestamp)); }