/*
* check the required parameters for the various flows on receipt of the authorization response
*/
apr_byte_t oidc_proto_validate_authorization_response(request_rec *r,
const char *response_type, const char *requested_response_mode,
char **code, char **id_token, char **access_token, char **token_type,
const char *used_response_mode) {
oidc_debug(r,
"enter, response_type=%s, requested_response_mode=%s, code=%s, id_token=%s, access_token=%s, token_type=%s, used_response_mode=%s",
response_type, requested_response_mode, *code, *id_token,
*access_token, *token_type, used_response_mode);
/* check the requested response mode against the one used by the OP */
if ((requested_response_mode != NULL)
&& (strcmp(requested_response_mode, used_response_mode)) != 0) {
/*
* only warn because I'm not sure that most OPs will respect a requested
* response_mode and rather use the default for the flow
*/
oidc_warn(r,
"requested response_mode is \"%s\" the provider used \"%s\" for the authorization response...",
requested_response_mode, used_response_mode);
}
/*
* check code parameter
*/
if (oidc_util_spaced_string_contains(r->pool, response_type, "code")) {
if (*code == NULL) {
oidc_error(r,
"requested flow is \"%s\" but no \"code\" parameter found in the authorization response",
response_type);
return FALSE;
}
} else {
if (*code != NULL) {
oidc_warn(r,
"requested flow is \"%s\" but there is a \"code\" parameter in the authorization response that will be dropped",
response_type);
*code = NULL;
}
}
/*
* check id_token parameter
*/
if (oidc_util_spaced_string_contains(r->pool, response_type, "id_token")) {
if (*id_token == NULL) {
oidc_error(r,
"requested flow is \"%s\" but no \"id_token\" parameter found in the authorization response",
response_type);
return FALSE;
}
} else {
if (*id_token != NULL) {
oidc_warn(r,
"requested flow is \"%s\" but there is an \"id_token\" parameter in the authorization response that will be dropped",
response_type);
*id_token = NULL;
}
}
/*
* check access_token parameter
*/
if (oidc_util_spaced_string_contains(r->pool, response_type, "token")) {
if (*access_token == NULL) {
oidc_error(r,
"requested flow is \"%s\" but no \"access_token\" parameter found in the authorization response",
response_type);
return FALSE;
}
if (*token_type == NULL) {
oidc_error(r,
"requested flow is \"%s\" but no \"token_type\" parameter found in the authorization response",
response_type);
return FALSE;
}
} else {
if (*access_token != NULL) {
oidc_warn(r,
"requested flow is \"%s\" but there is an \"access_token\" parameter in the authorization response that will be dropped",
response_type);
*access_token = NULL;
}
if (*token_type != NULL) {
oidc_warn(r,
"requested flow is \"%s\" but there is a \"token_type\" parameter in the authorization response that will be dropped",
response_type);
*token_type = NULL;
}
}
return TRUE;
}
/*
* check the required parameters for the various flows after resolving the authorization code
*/
apr_byte_t oidc_proto_validate_code_response(request_rec *r,
const char *response_type, char **id_token, char **access_token,
char **token_type) {
oidc_debug(r, "enter");
/*
* check id_token parameter
*/
if (!oidc_util_spaced_string_contains(r->pool, response_type, "id_token")) {
if (*id_token == NULL) {
oidc_error(r,
"requested flow is \"%s\" but no \"id_token\" parameter found in the code response",
response_type);
return FALSE;
}
} else {
if (*id_token != NULL) {
oidc_warn(r,
"requested flow is \"%s\" but there is an \"id_token\" parameter in the code response that will be dropped",
response_type);
*id_token = NULL;
}
}
/*
* check access_token parameter
*/
if (!oidc_util_spaced_string_contains(r->pool, response_type, "token")) {
if (*access_token == NULL) {
oidc_error(r,
"requested flow is \"%s\" but no \"access_token\" parameter found in the code response",
response_type);
return FALSE;
}
if (*token_type == NULL) {
oidc_error(r,
"requested flow is \"%s\" but no \"token_type\" parameter found in the code response",
response_type);
return FALSE;
}
} else {
if (*access_token != NULL) {
oidc_warn(r,
"requested flow is \"%s\" but there is an \"access_token\" parameter in the code response that will be dropped",
response_type);
*access_token = NULL;
}
if (*token_type != NULL) {
oidc_warn(r,
"requested flow is \"%s\" but there is a \"token_type\" parameter in the code response that will be dropped",
response_type);
*token_type = NULL;
}
}
return TRUE;
}
/*
* check the required parameters for the various flows after resolving the authorization code
*/
apr_byte_t oidc_proto_validate_code_response(request_rec *r,
const char *response_type, char **id_token, char **access_token,
char **token_type) {
ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
"oidc_proto_validate_code_response: entering");
/*
* check id_token parameter
*/
if (!oidc_util_spaced_string_contains(r->pool, response_type, "id_token")) {
if (*id_token == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"oidc_proto_validate_code_response: requested flow is \"%s\" but no \"id_token\" parameter found in the code response",
response_type);
return FALSE;
}
} else {
if (*id_token != NULL) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"oidc_proto_validate_code_response: requested flow is \"%s\" but there is an \"id_token\" parameter in the code response that will be dropped",
response_type);
*id_token = NULL;
}
}
/*
* check access_token parameter
*/
if (!oidc_util_spaced_string_contains(r->pool, response_type, "token")) {
if (*access_token == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"oidc_proto_validate_code_response: requested flow is \"%s\" but no \"access_token\" parameter found in the code response",
response_type);
return FALSE;
}
if (*token_type == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"oidc_proto_validate_code_response: requested flow is \"%s\" but no \"token_type\" parameter found in the code response",
response_type);
return FALSE;
}
} else {
if (*access_token != NULL) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"oidc_proto_validate_code_response: requested flow is \"%s\" but there is an \"access_token\" parameter in the authorization response that will be dropped",
response_type);
*access_token = NULL;
}
if (*token_type != NULL) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"oidc_proto_validate_code_response: requested flow is \"%s\" but there is a \"token_type\" parameter in the authorization response that will be dropped",
response_type);
*token_type = NULL;
}
}
return TRUE;
}
