75
75
#define OIDC_DEBUG APLOG_DEBUG
78
#define oidc_log(r, level, fmt, ...) ap_log_rerror(APLOG_MARK, level, 0, r,"%s: %s", __FUNCTION__, apr_psprintf(r->pool, fmt, ##__VA_ARGS__))
79
#define oidc_slog(s, level, fmt, ...) ap_log_error(APLOG_MARK, level, 0, s, "%s: %s", __FUNCTION__, apr_psprintf(s->process->pool, fmt, ##__VA_ARGS__))
81
#define oidc_debug(r, fmt, ...) oidc_log(r, OIDC_DEBUG, fmt, ##__VA_ARGS__)
82
#define oidc_warn(r, fmt, ...) oidc_log(r, APLOG_WARNING, fmt, ##__VA_ARGS__)
83
#define oidc_error(r, fmt, ...) oidc_log(r, APLOG_ERR, fmt, ##__VA_ARGS__)
85
#define oidc_sdebug(s, fmt, ...) oidc_slog(s, OIDC_DEBUG, fmt, ##__VA_ARGS__)
86
#define oidc_swarn(s, fmt, ...) oidc_slog(s, APLOG_WARNING, fmt, ##__VA_ARGS__)
87
#define oidc_serror(s, fmt, ...) oidc_slog(s, APLOG_ERR, fmt, ##__VA_ARGS__)
90
#define NAMEVERSION "mod_auth_openidc-0.0.0"
92
#define STRINGIFY(x) #x
93
#define TOSTRING(x) STRINGIFY(x)
94
#define NAMEVERSION TOSTRING(NAMEVER)
78
97
/* key for storing the claims in the session context */
79
98
#define OIDC_CLAIMS_SESSION_KEY "claims"
80
99
/* key for storing the id_token in the session context */
84
103
/* key for storing the access_token in the session context */
85
104
#define OIDC_ACCESSTOKEN_SESSION_KEY "access_token"
106
/* key for storing the session_state in the session context */
107
#define OIDC_SESSION_STATE_SESSION_KEY "session_state"
108
/* key for storing the issuer in the session context */
109
#define OIDC_ISSUER_SESSION_KEY "issuer"
110
/* key for storing the client_id in the session context */
111
#define OIDC_CLIENTID_SESSION_KEY "client_id"
112
/* key for storing the check_session_iframe in the session context */
113
#define OIDC_CHECK_IFRAME_SESSION_KEY "check_session_iframe"
114
/* key for storing the end_session_endpoint in the session context */
115
#define OIDC_LOGOUT_ENDPOINT_SESSION_KEY "end_session_endpoint"
87
117
/* parameter name of the callback URL in the discovery response */
88
118
#define OIDC_DISC_CB_PARAM "oidc_callback"
89
119
/* parameter name of the OP provider selection in the discovery response */
92
122
#define OIDC_DISC_RT_PARAM "target_link_uri"
93
123
/* parameter name of login hint in the discovery response */
94
124
#define OIDC_DISC_LH_PARAM "login_hint"
125
/* parameter name of parameters that need to be passed in the authentication request */
126
#define OIDC_DISC_AR_PARAM "auth_request_params"
96
128
/* value that indicates to use server-side cache based session tracking */
97
129
#define OIDC_SESSION_TYPE_22_SERVER_CACHE 0
105
137
/* pass id_token in compact serialized format in header*/
106
138
#define OIDC_PASS_IDTOKEN_AS_SERIALIZED 4
108
/* name of the cookie that binds the state in the authorization request/response to the browser */
109
#define OIDCStateCookieName "mod_auth_openidc_state"
140
/* prefix of the cookie that binds the state in the authorization request/response to the browser */
141
#define OIDCStateCookiePrefix "mod_auth_openidc_state_"
111
143
/* the (global) key for the mod_auth_openidc related state that is stored in the request userdata context */
112
144
#define OIDC_USERDATA_KEY "mod_auth_openidc_state"
117
149
/* the name of the keyword that follows the Require primitive to indicate claims-based authorization */
118
150
#define OIDC_REQUIRE_NAME "claim"
152
/* defines for how long provider metadata will be cached */
153
#define OIDC_CACHE_PROVIDER_METADATA_EXPIRY_DEFAULT 86400
156
#define OIDC_CACHE_SECTION_JTI "jti"
157
#define OIDC_CACHE_SECTION_SESSION "session"
158
#define OIDC_CACHE_SECTION_NONCE "nonce"
159
#define OIDC_CACHE_SECTION_JWKS "jwks"
160
#define OIDC_CACHE_SECTION_ACCESS_TOKEN "access_token"
161
#define OIDC_CACHE_SECTION_PROVIDER "provider"
120
163
typedef struct oidc_provider_t {
122
166
char *authorization_endpoint_url;
123
167
char *token_endpoint_url;
124
168
char *token_endpoint_auth;
169
char *token_endpoint_params;
125
170
char *userinfo_endpoint_url;
126
171
char *registration_endpoint_url;
172
char *check_session_iframe;
173
char *end_session_endpoint;
129
176
char *client_secret;
167
214
/* (optional) external OP discovery page */
168
215
char *discover_url;
169
216
/* (optional) default URL for 3rd-party initiated SSO */
217
char *default_sso_url;
218
/* (optional) default URL to go to after logout */
219
char *default_slo_url;
172
221
/* public keys in JWK format, used by parters for encrypting JWTs sent to us */
173
222
apr_hash_t *public_keys;
247
296
const char *issuer;
248
297
const char *response_type;
249
298
const char *response_mode;
250
300
apr_time_t timestamp;
251
301
} oidc_proto_state;
253
int oidc_proto_authorization_request(request_rec *r, struct oidc_provider_t *provider, const char *login_hint, const char *redirect_uri, const char *state, oidc_proto_state *proto_state);
303
int oidc_proto_authorization_request(request_rec *r, struct oidc_provider_t *provider, const char *login_hint, const char *redirect_uri, const char *state, oidc_proto_state *proto_state, const char *id_token_hint, const char *auth_request_params);
254
304
apr_byte_t oidc_proto_is_post_authorization_response(request_rec *r, oidc_cfg *cfg);
255
305
apr_byte_t oidc_proto_is_redirect_authorization_response(request_rec *r, oidc_cfg *cfg);
256
306
apr_byte_t oidc_proto_check_token_type(request_rec *r, oidc_provider_t *provider, const char *token_type);
292
342
char *oidc_url_encode(const request_rec *r, const char *str, const char *charsToEncode);
293
343
char *oidc_normalize_header_name(const request_rec *r, const char *str);
295
void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue);
296
char *oidc_util_get_cookie(request_rec *r, char *cookieName);
345
void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue, apr_time_t expires);
346
char *oidc_util_get_cookie(request_rec *r, const char *cookieName);
297
347
apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy);
298
348
apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy);
299
349
apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url, const json_t *data, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy);
301
351
apr_byte_t oidc_util_request_has_parameter(request_rec *r, const char* param);
302
352
apr_byte_t oidc_util_get_request_parameter(request_rec *r, char *name, char **value);
303
353
apr_byte_t oidc_util_decode_json_and_check_error(request_rec *r, const char *str, json_t **json);
304
int oidc_util_http_sendstring(request_rec *r, const char *html, int success_rvalue);
354
int oidc_util_http_send(request_rec *r, const char *data, int data_len, const char *content_type, int success_rvalue);
355
int oidc_util_html_send(request_rec *r, const char *html, int success_rvalue);
305
356
char *oidc_util_escape_string(const request_rec *r, const char *str);
306
357
char *oidc_util_unescape_string(const request_rec *r, const char *str);
307
358
apr_byte_t oidc_util_read_post(request_rec *r, apr_table_t *table);
317
368
apr_byte_t oidc_util_spaced_string_contains(apr_pool_t *pool, const char *response_type, const char *match);
318
369
apr_byte_t oidc_json_object_get_string(apr_pool_t *pool, json_t *json, const char *name, char **value, const char *default_value);
319
370
apr_byte_t oidc_json_object_get_int(apr_pool_t *pool, json_t *json, const char *name, int *value, const int default_value);
371
char *oidc_util_html_escape(apr_pool_t *pool, const char *input);
322
374
unsigned char *oidc_crypto_aes_encrypt(request_rec *r, oidc_cfg *cfg, unsigned char *plaintext, int *len);
324
376
apr_byte_t oidc_crypto_destroy(oidc_cfg *cfg, server_rec *s);
326
378
// oidc_metadata.c
379
apr_byte_t oidc_metadata_provider_retrieve(request_rec *r, oidc_cfg *cfg, const char *issuer, const char *url, json_t **j_metadata, const char **response);
380
apr_byte_t oidc_metadata_provider_parse(request_rec *r, json_t *j_provider, oidc_provider_t *provider);
327
381
apr_byte_t oidc_metadata_list(request_rec *r, oidc_cfg *cfg, apr_array_header_t **arr);
328
382
apr_byte_t oidc_metadata_get(request_rec *r, oidc_cfg *cfg, const char *selected, oidc_provider_t **provider);
329
383
apr_byte_t oidc_metadata_jwks_get(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, json_t **j_jwks, apr_byte_t *refresh);