/* * get the metadata filename for a specified issuer (cq. urlencode it) */ static const char *oidc_metadata_issuer_to_filename(request_rec *r, const char *issuer) { /* strip leading https:// */ char *p = strstr(issuer, "https://"); if (p == issuer) { p = apr_pstrdup(r->pool, issuer + strlen("https://")); } else { p = strstr(issuer, "http://"); if (p == issuer) { p = apr_pstrdup(r->pool, issuer + strlen("http://")); } else { p = apr_pstrdup(r->pool, issuer); } } /* strip trailing '/' */ int n = strlen(p); if (p[n - 1] == '/') p[n - 1] = '\0'; return oidc_util_escape_string(r, p); }
/* * send an OpenID Connect authorization request to the specified provider */ int oidc_proto_authorization_request(request_rec *r, struct oidc_provider_t *provider, const char *login_hint, const char *redirect_uri, const char *state, oidc_proto_state *proto_state, const char *id_token_hint, const char *auth_request_params) { /* log some stuff */ oidc_debug(r, "enter, issuer=%s, redirect_uri=%s, original_url=%s, state=%s, nonce=%s", provider->issuer, redirect_uri, proto_state->original_url, state, proto_state->nonce); /* assemble the full URL as the authorization request to the OP where we want to redirect to */ char *authorization_request = apr_psprintf(r->pool, "%s%s", provider->authorization_endpoint_url, strchr(provider->authorization_endpoint_url, '?') != NULL ? "&" : "?"); authorization_request = apr_psprintf(r->pool, "%sresponse_type=%s", authorization_request, oidc_util_escape_string(r, proto_state->response_type)); authorization_request = apr_psprintf(r->pool, "%s&scope=%s", authorization_request, oidc_util_escape_string(r, provider->scope)); authorization_request = apr_psprintf(r->pool, "%s&client_id=%s", authorization_request, oidc_util_escape_string(r, provider->client_id)); authorization_request = apr_psprintf(r->pool, "%s&state=%s", authorization_request, oidc_util_escape_string(r, state)); authorization_request = apr_psprintf(r->pool, "%s&redirect_uri=%s", authorization_request, oidc_util_escape_string(r, redirect_uri)); /* add the nonce if set */ if (proto_state->nonce != NULL) authorization_request = apr_psprintf(r->pool, "%s&nonce=%s", authorization_request, oidc_util_escape_string(r, proto_state->nonce)); /* add the response_mode if explicitly set */ if (proto_state->response_mode != NULL) authorization_request = apr_psprintf(r->pool, "%s&response_mode=%s", authorization_request, oidc_util_escape_string(r, proto_state->response_mode)); /* add the login_hint if provided */ if (login_hint != NULL) authorization_request = apr_psprintf(r->pool, "%s&login_hint=%s", authorization_request, oidc_util_escape_string(r, login_hint)); /* add the id_token_hint if provided */ if (id_token_hint != NULL) authorization_request = apr_psprintf(r->pool, "%s&id_token_hint=%s", authorization_request, oidc_util_escape_string(r, id_token_hint)); /* add the prompt setting if provided (e.g. "none" for no-GUI checks) */ if (proto_state->prompt != NULL) authorization_request = apr_psprintf(r->pool, "%s&prompt=%s", authorization_request, oidc_util_escape_string(r, proto_state->prompt)); /* add any statically configured custom authorization request parameters */ if (provider->auth_request_params != NULL) { authorization_request = apr_psprintf(r->pool, "%s&%s", authorization_request, provider->auth_request_params); } /* add any dynamically configured custom authorization request parameters */ if (auth_request_params != NULL) { authorization_request = apr_psprintf(r->pool, "%s&%s", authorization_request, auth_request_params); } /* preserve POSTed form parameters if enabled */ if (apr_strnatcmp(proto_state->original_method, "form_post") == 0) return oidc_proto_authorization_request_post_preserve(r, authorization_request); /* add the redirect location header */ apr_table_add(r->headers_out, "Location", authorization_request); /* some more logging */ oidc_debug(r, "adding outgoing header: Location: %s", authorization_request); /* and tell Apache to return an HTTP Redirect (302) message */ return HTTP_MOVED_TEMPORARILY; }