/*
* resolve and validate an access_token against the configured Authorization Server
*/
static apr_byte_t oidc_oauth_resolve_access_token(request_rec *r, oidc_cfg *c,
const char *access_token, json_t **token, char **response) {
json_t *result = NULL;
const char *json = NULL;
/* see if we've got the claims for this access_token cached already */
c->cache->get(r, OIDC_CACHE_SECTION_ACCESS_TOKEN, access_token, &json);
if (json == NULL) {
/* not cached, go out and validate the access_token against the Authorization server and get the JSON claims back */
if (oidc_oauth_validate_access_token(r, c, access_token, &json) == FALSE) {
oidc_error(r,
"could not get a validation response from the Authorization server");
return FALSE;
}
/* decode and see if it is not an error response somehow */
if (oidc_util_decode_json_and_check_error(r, json, &result) == FALSE)
return FALSE;
json_t *active = json_object_get(result, "active");
apr_time_t cache_until;
if (active != NULL) {
if (json_is_boolean(active)) {
if (!json_is_true(active)) {
oidc_debug(r,
"\"active\" boolean object with value \"false\" found in response JSON object");
json_decref(result);
return FALSE;
}
} else if (json_is_string(active)) {
if (apr_strnatcasecmp(json_string_value(active), "true") != 0) {
oidc_debug(r,
"\"active\" string object with value that is not equal to \"true\" found in response JSON object: %s",
json_string_value(active));
json_decref(result);
return FALSE;
}
} else {
oidc_debug(r,
"no \"active\" boolean or string object found in response JSON object");
json_decref(result);
return FALSE;
}
if (oidc_oauth_parse_and_cache_token_expiry(r, c, result, "exp",
TRUE, FALSE, &cache_until) == FALSE) {
json_decref(result);
return FALSE;
}
/* set it in the cache so subsequent request don't need to validate the access_token and get the claims anymore */
c->cache->set(r, OIDC_CACHE_SECTION_ACCESS_TOKEN, access_token,
json, cache_until);
} else {
if (oidc_oauth_parse_and_cache_token_expiry(r, c, result,
c->oauth.introspection_token_expiry_claim_name,
apr_strnatcmp(
c->oauth.introspection_token_expiry_claim_format,
"absolute") == 0,
c->oauth.introspection_token_expiry_claim_required,
&cache_until) == FALSE) {
json_decref(result);
return FALSE;
}
/* set it in the cache so subsequent request don't need to validate the access_token and get the claims anymore */
c->cache->set(r, OIDC_CACHE_SECTION_ACCESS_TOKEN, access_token,
json, cache_until);
}
} else {
/* we got the claims for this access_token in our cache, decode it in to a JSON structure */
json_error_t json_error;
result = json_loads(json, 0, &json_error);
if (result == NULL) {
oidc_error(r, "cached JSON was corrupted: %s", json_error.text);
return FALSE;
}
}
/* return the access_token JSON object */
json_t *tkn = json_object_get(result, "access_token");
if ((tkn != NULL) && (json_is_object(tkn))) {
/*
* assume PingFederate validation: copy over those claims from the access_token
* that are relevant for authorization purposes
*/
json_object_set(tkn, "client_id", json_object_get(result, "client_id"));
json_object_set(tkn, "scope", json_object_get(result, "scope"));
//oidc_oauth_spaced_string_to_array(r, result, "scope", tkn, "scopes");
/* return only the pimped access_token results */
*token = json_deep_copy(tkn);
char *s_token = json_dumps(*token, 0);
*response = apr_pstrdup(r->pool, s_token);
free(s_token);
json_decref(result);
} else {
//oidc_oauth_spaced_string_to_array(r, result, "scope", result, "scopes");
/* assume spec compliant introspection */
*token = result;
*response = apr_pstrdup(r->pool, json);
}
return TRUE;
}
/*
* resolve and validate an access_token against the configured Authorization Server
*/
static apr_byte_t oidc_oauth_resolve_access_token(request_rec *r, oidc_cfg *c,
const char *access_token, json_t **token, char **response) {
json_t *result = NULL;
const char *json = NULL;
/* see if we've got the claims for this access_token cached already */
c->cache->get(r, OIDC_CACHE_SECTION_ACCESS_TOKEN, access_token, &json);
if (json == NULL) {
/* not cached, go out and validate the access_token against the Authorization server and get the JSON claims back */
if (oidc_oauth_validate_access_token(r, c, access_token, &json) == FALSE) {
oidc_error(r,
"could not get a validation response from the Authorization server");
return FALSE;
}
/* decode and see if it is not an error response somehow */
if (oidc_util_decode_json_and_check_error(r, json, &result) == FALSE)
return FALSE;
json_t *active = json_object_get(result, "active");
if (active != NULL) {
if ((!json_is_boolean(active)) || (!json_is_true(active))) {
oidc_debug(r,
"no \"active\" boolean object with value \"true\" found in response JSON object");
json_decref(result);
return FALSE;
}
json_t *exp = json_object_get(result, "exp");
if ((exp != NULL) && (json_is_number(exp))) {
/* set it in the cache so subsequent request don't need to validate the access_token and get the claims anymore */
c->cache->set(r, OIDC_CACHE_SECTION_ACCESS_TOKEN, access_token, json,
apr_time_from_sec(json_integer_value(exp)));
} else if (json_integer_value(exp) <= 0) {
oidc_debug(r,
"response JSON object did not contain an \"exp\" integer number; introspection result will not be cached");
}
} else {
/* assume PingFederate validation: get and check the expiry timestamp */
json_t *expires_in = json_object_get(result, "expires_in");
if ((expires_in == NULL) || (!json_is_number(expires_in))) {
oidc_error(r,
"response JSON object did not contain an \"expires_in\" number");
json_decref(result);
return FALSE;
}
if (json_integer_value(expires_in) <= 0) {
oidc_warn(r,
"\"expires_in\" number <= 0 (%" JSON_INTEGER_FORMAT "); token already expired...",
json_integer_value(expires_in));
json_decref(result);
return FALSE;
}
/* set it in the cache so subsequent request don't need to validate the access_token and get the claims anymore */
c->cache->set(r, OIDC_CACHE_SECTION_ACCESS_TOKEN, access_token, json,
apr_time_now() + apr_time_from_sec(json_integer_value(expires_in)));
}
} else {
/* we got the claims for this access_token in our cache, decode it in to a JSON structure */
json_error_t json_error;
result = json_loads(json, 0, &json_error);
if (result == NULL) {
oidc_error(r, "cached JSON was corrupted: %s", json_error.text);
return FALSE;
}
}
/* return the access_token JSON object */
json_t *tkn = json_object_get(result, "access_token");
if ((tkn != NULL) && (json_is_object(tkn))) {
/*
* assume PingFederate validation: copy over those claims from the access_token
* that are relevant for authorization purposes
*/
json_object_set(tkn, "client_id", json_object_get(result, "client_id"));
json_object_set(tkn, "scope", json_object_get(result, "scope"));
//oidc_oauth_spaced_string_to_array(r, result, "scope", tkn, "scopes");
/* return only the pimped access_token results */
*token = json_deep_copy(tkn);
char *s_token = json_dumps(*token, 0);
*response = apr_pstrdup(r->pool, s_token);
free(s_token);
json_decref(result);
} else {
//oidc_oauth_spaced_string_to_array(r, result, "scope", result, "scopes");
/* assume spec compliant introspection */
*token = result;
*response = apr_pstrdup(r->pool, json);
}
return TRUE;
}
