Exemplo n.º 1
0
/*
 * save a session to cache/cookie
 */
apr_byte_t oidc_session_save(request_rec *r, oidc_session_t *z,
		apr_byte_t first_time) {
	oidc_cfg *c = ap_get_module_config(r->server->module_config,
			&auth_openidc_module);

	apr_byte_t rc = FALSE;
	const char *p_tb_id = oidc_util_get_provided_token_binding_id(r);

	if (z->state != NULL) {
		oidc_session_set(r, z, OIDC_SESSION_REMOTE_USER_KEY, z->remote_user);
		json_object_set_new(z->state, OIDC_SESSION_EXPIRY_KEY,
				json_integer(apr_time_sec(z->expiry)));

		if ((first_time) && (p_tb_id != NULL)) {
			oidc_debug(r,
					"Provided Token Binding ID environment variable found; adding its value to the session state");
			oidc_session_set(r, z, OIDC_SESSION_PROVIDED_TOKEN_BINDING_KEY,
					p_tb_id);
		}
	}

	if (c->session_type == OIDC_SESSION_TYPE_SERVER_CACHE)
		/* store the session in the cache */
		rc = oidc_session_save_cache(r, z, first_time);

	/* if we get here we configured client-cookie or saving in the cache failed */
	if ((c->session_type == OIDC_SESSION_TYPE_CLIENT_COOKIE)
			|| ((rc == FALSE) && oidc_cfg_session_cache_fallback_to_cookie(r)))
		/* store the session in a self-contained cookie */
		rc = oidc_session_save_cookie(r, z, first_time);

	return rc;
}
Exemplo n.º 2
0
apr_status_t oidc_session_save(request_rec *r, session_rec *z) {
	oidc_session_set(r, z, OIDC_SESSION_REMOTE_USER_KEY, z->remote_user);
	char key[APR_UUID_FORMATTED_LENGTH + 1];
	apr_uuid_format((char *) &key, z->uuid);
	oidc_debug(r, "%s", key);
	oidc_session_set(r, z, OIDC_SESSION_UUID_KEY, key);
	return ap_session_save_fn(r, z);
}
Exemplo n.º 3
0
/*
 * access token expires
 */
void oidc_session_set_access_token_expires(request_rec *r, oidc_session_t *z,
		const int expires_in) {
	if (expires_in != -1) {
		oidc_session_set(r, z, OIDC_SESSION_KEY_ACCESSTOKEN_EXPIRES,
				apr_psprintf(r->pool, "%" APR_TIME_T_FMT,
						apr_time_sec(apr_time_now()) + expires_in));
	}
}
Exemplo n.º 4
0
void oidc_session_set_filtered_claims(request_rec *r, oidc_session_t *z,
		const char *session_key, const char *claims) {
	oidc_cfg *c = ap_get_module_config(r->server->module_config,
			&auth_openidc_module);

	const char *name;
	json_t *src = NULL, *dst = NULL, *value = NULL;
	void *iter = NULL;
	apr_byte_t is_allowed;

	if (oidc_util_decode_json_object(r, claims, &src) == FALSE)
		return;

	dst = json_object();
	iter = json_object_iter(src);
	while (iter) {
		is_allowed = TRUE;
		name = json_object_iter_key(iter);
		value = json_object_iter_value(iter);

		if ((c->black_listed_claims != NULL)
				&& (apr_hash_get(c->black_listed_claims, name,
						APR_HASH_KEY_STRING) != NULL)) {
			oidc_debug(r, "removing blacklisted claim [%s]: '%s'", session_key,
					name);
			is_allowed = FALSE;
		}

		if ((is_allowed == TRUE) && (c->white_listed_claims != NULL)
				&& (apr_hash_get(c->white_listed_claims, name,
						APR_HASH_KEY_STRING) == NULL)) {
			oidc_debug(r, "removing non-whitelisted claim [%s]: '%s'",
					session_key, name);
			is_allowed = FALSE;
		}

		if (is_allowed == TRUE)
			json_object_set(dst, name, value);

		iter = json_object_iter_next(src, iter);
	}

	char *filtered_claims = oidc_util_encode_json_object(r, dst, JSON_COMPACT);
	json_decref(dst);
	json_decref(src);
	oidc_session_set(r, z, session_key, filtered_claims);
}
Exemplo n.º 5
0
/*
 * save the session to the cache using a cookie for the index
 */
static apr_byte_t oidc_session_save_cache(request_rec *r, oidc_session_t *z,
		apr_byte_t first_time) {
	oidc_cfg *c = ap_get_module_config(r->server->module_config,
			&auth_openidc_module);

	apr_byte_t rc = TRUE;

	if (z->state != NULL) {

		if (apr_strnatcmp(z->uuid, "") == 0) {
			/* get a new uuid for this session */
			oidc_session_uuid_new(r, z);
			/* store the session id in the cache value so it allows  us to detect cache corruption */
			oidc_session_set(r, z, OIDC_SESSION_SESSION_ID, z->uuid);
		}

		/* store the string-encoded session in the cache; encryption depends on cache backend settings */
		char *s_value = NULL;
		if (oidc_session_encode(r, c, z, &s_value, FALSE) == FALSE)
			return FALSE;
		rc = oidc_cache_set_session(r, z->uuid, s_value, z->expiry);

		if (rc == TRUE)
			/* set the uuid in the cookie */
			oidc_util_set_cookie(r, oidc_cfg_dir_cookie(r), z->uuid,
					c->persistent_session_cookie ? z->expiry : -1,
							c->cookie_same_site ?
									(first_time ?
											OIDC_COOKIE_EXT_SAME_SITE_LAX :
											OIDC_COOKIE_EXT_SAME_SITE_STRICT) :
											NULL);

	} else {
		/* clear the cookie */
		oidc_util_set_cookie(r, oidc_cfg_dir_cookie(r), "", 0, NULL);

		/* remove the session from the cache */
		rc = oidc_cache_set_session(r, z->uuid, NULL, 0);
	}

	return rc;
}
Exemplo n.º 6
0
/*
 * logout endpoint URL
 */
void oidc_session_set_logout_endpoint(request_rec *r, oidc_session_t *z,
		const char *logout_endpoint) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_LOGOUT_ENDPOINT, logout_endpoint);
}
Exemplo n.º 7
0
/*
 * check session iframe URL
 */
void oidc_session_set_check_session_iframe(request_rec *r, oidc_session_t *z,
		const char *check_session_iframe) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_CHECK_SESSION_IFRAME,
			check_session_iframe);
}
Exemplo n.º 8
0
/*
 * client_id
 */
void oidc_session_set_client_id(request_rec *r, oidc_session_t *z,
		const char *client_id) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_CLIENT_ID, client_id);
}
Exemplo n.º 9
0
/*
 * issuer
 */
void oidc_session_set_issuer(request_rec *r, oidc_session_t *z,
		const char *issuer) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_ISSUER, issuer);
}
Exemplo n.º 10
0
/*
 * session state
 */
void oidc_session_set_session_state(request_rec *r, oidc_session_t *z,
		const char *session_state) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_SESSION_STATE, session_state);
}
Exemplo n.º 11
0
/*
 * original url
 */
void oidc_session_set_original_url(request_rec *r, oidc_session_t *z,
		const char *original_url) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_ORIGINAL_URL, original_url);
}
Exemplo n.º 12
0
/*
 * cookie domain
 */
void oidc_session_set_cookie_domain(request_rec *r, oidc_session_t *z,
		const char *cookie_domain) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_COOKIE_DOMAIN, cookie_domain);
}
Exemplo n.º 13
0
/*
 * refresh token
 */
void oidc_session_set_refresh_token(request_rec *r, oidc_session_t *z,
		const char *refresh_token) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_REFRESH_TOKEN, refresh_token);
}
Exemplo n.º 14
0
/*
 * access token
 */
void oidc_session_set_access_token(request_rec *r, oidc_session_t *z,
		const char *access_token) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_ACCESSTOKEN, access_token);
}
Exemplo n.º 15
0
/*
 * compact serialized id_token
 */
void oidc_session_set_idtoken(request_rec *r, oidc_session_t *z,
		const char *s_id_token) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_IDTOKEN, s_id_token);
}
Exemplo n.º 16
0
void oidc_session_set_userinfo_jwt(request_rec *r, oidc_session_t *z,
		const char *s_userinfo_jwt) {
	oidc_session_set(r, z, OIDC_SESSION_KEY_USERINFO_JWT, s_userinfo_jwt);
}
Exemplo n.º 17
0
static void oidc_session_set_timestamp(request_rec *r, oidc_session_t *z,
		const char *key, const apr_time_t timestamp) {
	if (timestamp != -1)
		oidc_session_set(r, z, key,
				apr_psprintf(r->pool, "%" APR_TIME_T_FMT, timestamp));
}