/*
* save a session to cache/cookie
*/
apr_byte_t oidc_session_save(request_rec *r, oidc_session_t *z,
apr_byte_t first_time) {
oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
apr_byte_t rc = FALSE;
const char *p_tb_id = oidc_util_get_provided_token_binding_id(r);
if (z->state != NULL) {
oidc_session_set(r, z, OIDC_SESSION_REMOTE_USER_KEY, z->remote_user);
json_object_set_new(z->state, OIDC_SESSION_EXPIRY_KEY,
json_integer(apr_time_sec(z->expiry)));
if ((first_time) && (p_tb_id != NULL)) {
oidc_debug(r,
"Provided Token Binding ID environment variable found; adding its value to the session state");
oidc_session_set(r, z, OIDC_SESSION_PROVIDED_TOKEN_BINDING_KEY,
p_tb_id);
}
}
if (c->session_type == OIDC_SESSION_TYPE_SERVER_CACHE)
/* store the session in the cache */
rc = oidc_session_save_cache(r, z, first_time);
/* if we get here we configured client-cookie or saving in the cache failed */
if ((c->session_type == OIDC_SESSION_TYPE_CLIENT_COOKIE)
|| ((rc == FALSE) && oidc_cfg_session_cache_fallback_to_cookie(r)))
/* store the session in a self-contained cookie */
rc = oidc_session_save_cookie(r, z, first_time);
return rc;
}
apr_status_t oidc_session_save(request_rec *r, session_rec *z) {
oidc_session_set(r, z, OIDC_SESSION_REMOTE_USER_KEY, z->remote_user);
char key[APR_UUID_FORMATTED_LENGTH + 1];
apr_uuid_format((char *) &key, z->uuid);
oidc_debug(r, "%s", key);
oidc_session_set(r, z, OIDC_SESSION_UUID_KEY, key);
return ap_session_save_fn(r, z);
}
/*
* access token expires
*/
void oidc_session_set_access_token_expires(request_rec *r, oidc_session_t *z,
const int expires_in) {
if (expires_in != -1) {
oidc_session_set(r, z, OIDC_SESSION_KEY_ACCESSTOKEN_EXPIRES,
apr_psprintf(r->pool, "%" APR_TIME_T_FMT,
apr_time_sec(apr_time_now()) + expires_in));
}
}
void oidc_session_set_filtered_claims(request_rec *r, oidc_session_t *z,
const char *session_key, const char *claims) {
oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
const char *name;
json_t *src = NULL, *dst = NULL, *value = NULL;
void *iter = NULL;
apr_byte_t is_allowed;
if (oidc_util_decode_json_object(r, claims, &src) == FALSE)
return;
dst = json_object();
iter = json_object_iter(src);
while (iter) {
is_allowed = TRUE;
name = json_object_iter_key(iter);
value = json_object_iter_value(iter);
if ((c->black_listed_claims != NULL)
&& (apr_hash_get(c->black_listed_claims, name,
APR_HASH_KEY_STRING) != NULL)) {
oidc_debug(r, "removing blacklisted claim [%s]: '%s'", session_key,
name);
is_allowed = FALSE;
}
if ((is_allowed == TRUE) && (c->white_listed_claims != NULL)
&& (apr_hash_get(c->white_listed_claims, name,
APR_HASH_KEY_STRING) == NULL)) {
oidc_debug(r, "removing non-whitelisted claim [%s]: '%s'",
session_key, name);
is_allowed = FALSE;
}
if (is_allowed == TRUE)
json_object_set(dst, name, value);
iter = json_object_iter_next(src, iter);
}
char *filtered_claims = oidc_util_encode_json_object(r, dst, JSON_COMPACT);
json_decref(dst);
json_decref(src);
oidc_session_set(r, z, session_key, filtered_claims);
}
/*
* save the session to the cache using a cookie for the index
*/
static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z,
apr_byte_t first_time) {
oidc_cfg *c = ap_get_module_config(r->server->module_config,
&auth_openidc_module);
apr_byte_t rc = TRUE;
if (z->state != NULL) {
if (apr_strnatcmp(z->uuid, "") == 0) {
/* get a new uuid for this session */
oidc_session_uuid_new(r, z);
/* store the session id in the cache value so it allows us to detect cache corruption */
oidc_session_set(r, z, OIDC_SESSION_SESSION_ID, z->uuid);
}
/* store the string-encoded session in the cache; encryption depends on cache backend settings */
char *s_value = NULL;
if (oidc_session_encode(r, c, z, &s_value, FALSE) == FALSE)
return FALSE;
rc = oidc_cache_set_session(r, z->uuid, s_value, z->expiry);
if (rc == TRUE)
/* set the uuid in the cookie */
oidc_util_set_cookie(r, oidc_cfg_dir_cookie(r), z->uuid,
c->persistent_session_cookie ? z->expiry : -1,
c->cookie_same_site ?
(first_time ?
OIDC_COOKIE_EXT_SAME_SITE_LAX :
OIDC_COOKIE_EXT_SAME_SITE_STRICT) :
NULL);
} else {
/* clear the cookie */
oidc_util_set_cookie(r, oidc_cfg_dir_cookie(r), "", 0, NULL);
/* remove the session from the cache */
rc = oidc_cache_set_session(r, z->uuid, NULL, 0);
}
return rc;
}
/*
* logout endpoint URL
*/
void oidc_session_set_logout_endpoint(request_rec *r, oidc_session_t *z,
const char *logout_endpoint) {
oidc_session_set(r, z, OIDC_SESSION_KEY_LOGOUT_ENDPOINT, logout_endpoint);
}
/*
* check session iframe URL
*/
void oidc_session_set_check_session_iframe(request_rec *r, oidc_session_t *z,
const char *check_session_iframe) {
oidc_session_set(r, z, OIDC_SESSION_KEY_CHECK_SESSION_IFRAME,
check_session_iframe);
}
/*
* client_id
*/
void oidc_session_set_client_id(request_rec *r, oidc_session_t *z,
const char *client_id) {
oidc_session_set(r, z, OIDC_SESSION_KEY_CLIENT_ID, client_id);
}
/*
* issuer
*/
void oidc_session_set_issuer(request_rec *r, oidc_session_t *z,
const char *issuer) {
oidc_session_set(r, z, OIDC_SESSION_KEY_ISSUER, issuer);
}
/*
* session state
*/
void oidc_session_set_session_state(request_rec *r, oidc_session_t *z,
const char *session_state) {
oidc_session_set(r, z, OIDC_SESSION_KEY_SESSION_STATE, session_state);
}
/*
* original url
*/
void oidc_session_set_original_url(request_rec *r, oidc_session_t *z,
const char *original_url) {
oidc_session_set(r, z, OIDC_SESSION_KEY_ORIGINAL_URL, original_url);
}
/*
* cookie domain
*/
void oidc_session_set_cookie_domain(request_rec *r, oidc_session_t *z,
const char *cookie_domain) {
oidc_session_set(r, z, OIDC_SESSION_KEY_COOKIE_DOMAIN, cookie_domain);
}
/*
* refresh token
*/
void oidc_session_set_refresh_token(request_rec *r, oidc_session_t *z,
const char *refresh_token) {
oidc_session_set(r, z, OIDC_SESSION_KEY_REFRESH_TOKEN, refresh_token);
}
/*
* access token
*/
void oidc_session_set_access_token(request_rec *r, oidc_session_t *z,
const char *access_token) {
oidc_session_set(r, z, OIDC_SESSION_KEY_ACCESSTOKEN, access_token);
}
/*
* compact serialized id_token
*/
void oidc_session_set_idtoken(request_rec *r, oidc_session_t *z,
const char *s_id_token) {
oidc_session_set(r, z, OIDC_SESSION_KEY_IDTOKEN, s_id_token);
}
void oidc_session_set_userinfo_jwt(request_rec *r, oidc_session_t *z,
const char *s_userinfo_jwt) {
oidc_session_set(r, z, OIDC_SESSION_KEY_USERINFO_JWT, s_userinfo_jwt);
}
static void oidc_session_set_timestamp(request_rec *r, oidc_session_t *z,
const char *key, const apr_time_t timestamp) {
if (timestamp != -1)
oidc_session_set(r, z, key,
apr_psprintf(r->pool, "%" APR_TIME_T_FMT, timestamp));
}
