/* * check the required parameters for the various flows on receipt of the authorization response */ apr_byte_t oidc_proto_validate_authorization_response(request_rec *r, const char *response_type, const char *requested_response_mode, char **code, char **id_token, char **access_token, char **token_type, const char *used_response_mode) { oidc_debug(r, "enter, response_type=%s, requested_response_mode=%s, code=%s, id_token=%s, access_token=%s, token_type=%s, used_response_mode=%s", response_type, requested_response_mode, *code, *id_token, *access_token, *token_type, used_response_mode); /* check the requested response mode against the one used by the OP */ if ((requested_response_mode != NULL) && (strcmp(requested_response_mode, used_response_mode)) != 0) { /* * only warn because I'm not sure that most OPs will respect a requested * response_mode and rather use the default for the flow */ oidc_warn(r, "requested response_mode is \"%s\" the provider used \"%s\" for the authorization response...", requested_response_mode, used_response_mode); } /* * check code parameter */ if (oidc_util_spaced_string_contains(r->pool, response_type, "code")) { if (*code == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"code\" parameter found in the authorization response", response_type); return FALSE; } } else { if (*code != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is a \"code\" parameter in the authorization response that will be dropped", response_type); *code = NULL; } } /* * check id_token parameter */ if (oidc_util_spaced_string_contains(r->pool, response_type, "id_token")) { if (*id_token == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"id_token\" parameter found in the authorization response", response_type); return FALSE; } } else { if (*id_token != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is an \"id_token\" parameter in the authorization response that will be dropped", response_type); *id_token = NULL; } } /* * check access_token parameter */ if (oidc_util_spaced_string_contains(r->pool, response_type, "token")) { if (*access_token == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"access_token\" parameter found in the authorization response", response_type); return FALSE; } if (*token_type == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"token_type\" parameter found in the authorization response", response_type); return FALSE; } } else { if (*access_token != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is an \"access_token\" parameter in the authorization response that will be dropped", response_type); *access_token = NULL; } if (*token_type != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is a \"token_type\" parameter in the authorization response that will be dropped", response_type); *token_type = NULL; } } return TRUE; }
/* * check the required parameters for the various flows after resolving the authorization code */ apr_byte_t oidc_proto_validate_code_response(request_rec *r, const char *response_type, char **id_token, char **access_token, char **token_type) { oidc_debug(r, "enter"); /* * check id_token parameter */ if (!oidc_util_spaced_string_contains(r->pool, response_type, "id_token")) { if (*id_token == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"id_token\" parameter found in the code response", response_type); return FALSE; } } else { if (*id_token != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is an \"id_token\" parameter in the code response that will be dropped", response_type); *id_token = NULL; } } /* * check access_token parameter */ if (!oidc_util_spaced_string_contains(r->pool, response_type, "token")) { if (*access_token == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"access_token\" parameter found in the code response", response_type); return FALSE; } if (*token_type == NULL) { oidc_error(r, "requested flow is \"%s\" but no \"token_type\" parameter found in the code response", response_type); return FALSE; } } else { if (*access_token != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is an \"access_token\" parameter in the code response that will be dropped", response_type); *access_token = NULL; } if (*token_type != NULL) { oidc_warn(r, "requested flow is \"%s\" but there is a \"token_type\" parameter in the code response that will be dropped", response_type); *token_type = NULL; } } return TRUE; }
/* * check the required parameters for the various flows after resolving the authorization code */ apr_byte_t oidc_proto_validate_code_response(request_rec *r, const char *response_type, char **id_token, char **access_token, char **token_type) { ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_proto_validate_code_response: entering"); /* * check id_token parameter */ if (!oidc_util_spaced_string_contains(r->pool, response_type, "id_token")) { if (*id_token == NULL) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "oidc_proto_validate_code_response: requested flow is \"%s\" but no \"id_token\" parameter found in the code response", response_type); return FALSE; } } else { if (*id_token != NULL) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "oidc_proto_validate_code_response: requested flow is \"%s\" but there is an \"id_token\" parameter in the code response that will be dropped", response_type); *id_token = NULL; } } /* * check access_token parameter */ if (!oidc_util_spaced_string_contains(r->pool, response_type, "token")) { if (*access_token == NULL) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "oidc_proto_validate_code_response: requested flow is \"%s\" but no \"access_token\" parameter found in the code response", response_type); return FALSE; } if (*token_type == NULL) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "oidc_proto_validate_code_response: requested flow is \"%s\" but no \"token_type\" parameter found in the code response", response_type); return FALSE; } } else { if (*access_token != NULL) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "oidc_proto_validate_code_response: requested flow is \"%s\" but there is an \"access_token\" parameter in the authorization response that will be dropped", response_type); *access_token = NULL; } if (*token_type != NULL) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "oidc_proto_validate_code_response: requested flow is \"%s\" but there is a \"token_type\" parameter in the authorization response that will be dropped", response_type); *token_type = NULL; } } return TRUE; }