Commit c366c31a authored by Moritz Schlarb's avatar Moritz Schlarb

Update upstream source from tag 'upstream/2.3.10.2'

Update to upstream version '2.3.10.2'
with Debian dir 7b9f9eb1e192b508435c10b123988718de842127
parents f12a42c4 0dec22a6
01/22/2019
- fix XSS vulnerability CSNC-2019-001 wrt. poll parameter in OIDC Session Management RP iframe; thanks Mischa Bachmann
- release 2.3.10.2
01/16/2019
- fix bug in current URL detection where query parameters would be duplicated; see #420; thanks @jreynaert
- release 2.3.10.1
12/31/2018
- fix warning printout in oidc_delete_oldest_state_cookies
- release 2.3.10
......
......@@ -39,7 +39,7 @@ of claims provided in the `id_token`/ `userinfo` claims.
- [OAuth 2.0 Multiple Response Type Encoding Practices 1.0](http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
- [OAuth 2.0 Form Post Response Mode 1.0](http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)
- [RFC7 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
- [OpenID Connect Session Management 1.0](http://openid.net/specs/openid-connect-session-1_0.html) *(implementers draft; see the [Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki/Session-Management) for information on how to configure it)*
- [OpenID Connect Session Management 1.0](http://openid.net/specs/openid-connect-session-1_0.html) *(implementers draft; see the [Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki/OpenID-Connect-Session-Management) for information on how to configure it)*
- [OpenID Connect Front-Channel Logout 1.0](http://openid.net/specs/openid-connect-frontchannel-1_0.html) *(implementers draft)*
- [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html) *(implementers draft)*
- [Encoding claims in the OAuth 2 state parameter using a JWT](https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-08) *(draft spec)*
......@@ -121,26 +121,6 @@ Require claim hd:<your-domain>
The above is an authorization example of an exact match of a provided claim against a string value.
For more authorization options see the [Wiki page on Authorization](https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization).
### OpenID Connect SSO with Keycloak
See also the [Wiki page on Keycloak](https://github.com/zmartzone/mod_auth_openidc/wiki/Keycloak)
```apache
OIDCProviderMetadataURL https://keycloak.example.net/auth/realms/master/.well-known/openid-configuration
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://www.example.net/example/oauth2callback
OIDCCryptoPassphrase random1234
OIDCClientID <your-client-id-registered-in-keycloak>
OIDCClientSecret <your-client-secret-registered-in-keycloak>
OIDCRemoteUserClaim email
OIDCScope "openid email"
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
```
### Quickstart with a generic OpenID Connect Provider
1. install and load `mod_auth_openidc.so` in your Apache server
......@@ -169,6 +149,17 @@ OIDCCryptoPassphrase <password>
```
For details on configuring multiple providers see the [Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki/Multiple-Providers).
### Quickstart for Other Providers
See the [Wiki](https://github.com/zmartzone/mod_auth_openidc/wiki) for configuration docs for other OpenID Connect Providers:
- [GLUU Server](https://github.com/zmartzone/mod_auth_openidc/wiki/Gluu-Server)
- [Keycloak](https://github.com/zmartzone/mod_auth_openidc/wiki/Keycloak)
- [Azure AD](https://github.com/zmartzone/mod_auth_openidc/wiki/Azure-OAuth2.0-and-OpenID)
- [LemonLDAP::NG](https://github.com/zmartzone/mod_auth_openidc/wiki/LemonLDAP::NG)
- [GitLab](https://github.com/zmartzone/mod_auth_openidc/wiki/GitLab-OAuth2)
- [Globus](https://github.com/zmartzone/mod_auth_openidc/wiki/Globus)
and [more](https://github.com/zmartzone/mod_auth_openidc/wiki/Useful-Links)
### Quickstart with a generic OAuth 2.0 Resource Server
Using "local" validation of JWT bearer tokens:
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.3.10.
# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.3.10.2.
#
# Report bugs to <hans.zandbelt@zmartzone.eu>.
#
......@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='mod_auth_openidc'
PACKAGE_TARNAME='mod_auth_openidc'
PACKAGE_VERSION='2.3.10'
PACKAGE_STRING='mod_auth_openidc 2.3.10'
PACKAGE_VERSION='2.3.10.2'
PACKAGE_STRING='mod_auth_openidc 2.3.10.2'
PACKAGE_BUGREPORT='hans.zandbelt@zmartzone.eu'
PACKAGE_URL=''
......@@ -1269,7 +1269,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures mod_auth_openidc 2.3.10 to adapt to many kinds of systems.
\`configure' configures mod_auth_openidc 2.3.10.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1331,7 +1331,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of mod_auth_openidc 2.3.10:";;
short | recursive ) echo "Configuration of mod_auth_openidc 2.3.10.2:";;
esac
cat <<\_ACEOF
......@@ -1445,7 +1445,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
mod_auth_openidc configure 2.3.10
mod_auth_openidc configure 2.3.10.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1747,7 +1747,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by mod_auth_openidc $as_me 2.3.10, which was
It was created by mod_auth_openidc $as_me 2.3.10.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -2096,7 +2096,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
NAMEVER=mod_auth_openidc-2.3.10
NAMEVER=mod_auth_openidc-2.3.10.2
# This section defines the --with-apxs2 option.
......@@ -4886,7 +4886,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by mod_auth_openidc $as_me 2.3.10, which was
This file was extended by mod_auth_openidc $as_me 2.3.10.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -4939,7 +4939,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
mod_auth_openidc config.status 2.3.10
mod_auth_openidc config.status 2.3.10.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
AC_INIT([mod_auth_openidc],[2.3.10],[hans.zandbelt@zmartzone.eu])
AC_INIT([mod_auth_openidc],[2.3.10.2],[hans.zandbelt@zmartzone.eu])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
......
......@@ -3106,7 +3106,7 @@ static int oidc_handle_session_management_iframe_rp(request_rec *r, oidc_cfg *c,
"\n"
" function setTimer() {\n"
" checkSession();\n"
" timerID = setInterval('checkSession()', %s);\n"
" timerID = setInterval('checkSession()', %d);\n"
" }\n"
"\n"
" function receiveMessage(e) {\n"
......@@ -3149,12 +3149,13 @@ static int oidc_handle_session_management_iframe_rp(request_rec *r, oidc_cfg *c,
char *s_poll_interval = NULL;
oidc_util_get_request_parameter(r, "poll", &s_poll_interval);
if (s_poll_interval == NULL)
s_poll_interval = "3000";
int poll_interval = s_poll_interval ? strtol(s_poll_interval, NULL, 10) : 0;
if ((poll_interval <= 0) || (poll_interval > 3600 * 24))
poll_interval = 3000;
const char *redirect_uri = oidc_get_redirect_uri(r, c);
java_script = apr_psprintf(r->pool, java_script, origin, client_id,
session_state, op_iframe_id, s_poll_interval, redirect_uri,
session_state, op_iframe_id, poll_interval, redirect_uri,
redirect_uri);
return oidc_util_html_send(r, NULL, java_script, "setTimer", NULL, DONE);
......
......@@ -502,7 +502,7 @@ char *oidc_get_current_url(request_rec *r) {
if ((path) && (path[0] != '/')) {
memset(&uri, 0, sizeof(apr_uri_t));
if (apr_uri_parse(r->pool, r->uri, &uri) == APR_SUCCESS)
path = uri.path;
path = apr_pstrcat(r->pool, uri.path, (r->args != NULL && *r->args != '\0' ? "?" : ""), r->args, NULL);
else
oidc_warn(r, "apr_uri_parse failed on non-relative URL: %s", r->uri);
} else {
......@@ -510,9 +510,7 @@ char *oidc_get_current_url(request_rec *r) {
path = r->unparsed_uri;
}
url = apr_pstrcat(r->pool, oidc_get_current_url_base(r), path,
(r->args != NULL && *r->args != '\0' ? "?" : ""), r->args,
NULL);
url = apr_pstrcat(r->pool, oidc_get_current_url_base(r), path, NULL);
oidc_debug(r, "current URL '%s'", url);
......
......@@ -1195,7 +1195,7 @@ static char * test_current_url(request_rec *r) {
char *url = NULL;
r->uri = "/test";
r->unparsed_uri = r->uri;
r->unparsed_uri = apr_pstrcat(r->pool, r->uri, "?", r->args, NULL);
url = oidc_get_current_url(r);
TST_ASSERT_STR("test_current_url (1)", url, "https://www.example.com/test?foo=bar&param1=value1");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment