Skip to content

Commit

Permalink
apply ISO-8859-1 as default encoding mechanism for claim values
Browse files Browse the repository at this point in the history
passed in headers and environment variables to comply with
https://www.rfc-editor.org/rfc/rfc5987; see #957; use "OIDCPassClaimsAs
<any> none" for backwards compatibility; bump to 2.4.15rc3

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
  • Loading branch information
zandbelt committed Nov 2, 2023
1 parent 8ffa1c3 commit 28e79bf
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 12 deletions.
6 changes: 6 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
11/02/2023
- apply ISO-8859-1 ("latin1") as default encoding mechanism for claim values passed in headers and environment
variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use "OIDCPassClaimsAs <any> none"
for backwards compatibility
- bump to 2.4.15rc3

11/01/2023
- avoid warnings on cache misses (regression introduced in 2.4.15rc1)
- bump to 2.4.15rc2
Expand Down
13 changes: 7 additions & 6 deletions auth_openidc.conf
Original file line number Diff line number Diff line change
Expand Up @@ -843,15 +843,16 @@
# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
# "both": claims/tokens are passed as both headers as well as environment variables (default)
#
# "base64url" can be specified as the 2nd argument to apply base64url encoding to all values passed
# in headers. Alternatively the "latin1" option can be specified to apply ISO-8859-1 encoding to all
# values passed in headers as well as environment variables, which may result in out of bound
# characters converted to the "?" character.
# When not defined the default is "both" and no encoding is applied to the header/environment values.
# A second parameter can be specified that defines the encodong applied to all values passed in headers
# and environment variables:
# "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character.
# "base64url" applies base64url encoding
# "none" applies no encoding and copies literal values from the claims into the headers/environment variables
# When not defined the default is "both" and "latin1" encoding is applied to the header/environment values.
#
# The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires.
# The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken)
#OIDCPassClaimsAs [none|headers|environment|both] [base64url|latin1]
#OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none]

# Specify the HTTP header variable name to set with the name of the authenticated user,
# i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim.
Expand Down
2 changes: 1 addition & 1 deletion configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_auth_openidc],[2.4.15rc2],[hans.zandbelt@openidc.com])
AC_INIT([mod_auth_openidc],[2.4.15rc3],[hans.zandbelt@openidc.com])

AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())

Expand Down
14 changes: 9 additions & 5 deletions src/config.c
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@
/* default for passing app info in environment variables */
#define OIDC_DEFAULT_PASS_APP_INFO_IN_ENVVARS 1
/* default for passing app info in base64 encoded format */
#define OIDC_DEFAULT_PASS_APP_INFO_HDR_AS 0
#define OIDC_DEFAULT_PASS_APP_INFO_HDR_AS OIDC_PASS_APP_INFO_AS_LATIN1
/* default value for the token introspection interval (0 = disabled, no expiry of claims) */
#define OIDC_DEFAULT_TOKEN_INTROSPECTION_INTERVAL 0
/* default action to take on an incoming unauthenticated request */
Expand Down Expand Up @@ -1128,6 +1128,7 @@ static const char* oidc_set_remote_user_claim(cmd_parms *cmd, void *struct_ptr,

/*
* define how to pass claims information to the application: in headers and/or environment variables
* and optionally specify the encoding applied to the values
*/
static const char* oidc_set_pass_claims_as(cmd_parms *cmd, void *m,
const char *arg1, const char *arg2) {
Expand All @@ -1140,11 +1141,14 @@ static const char* oidc_set_pass_claims_as(cmd_parms *cmd, void *m,
dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_BASE64URL;
} else if (_oidc_strcmp(arg2, "latin1") == 0) {
dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_LATIN1;
} else if (_oidc_strcmp(arg2, "none") == 0) {
dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_NONE;
} else {
rv = apr_pstrcat(cmd->temp_pool, "unknown encoding option \"",
arg2,
"\", only \"base64url\" or \"latin1\" is supported",
NULL);
rv =
apr_pstrcat(cmd->temp_pool,
"unknown encoding option \"", arg2,
"\", only \"base64url\", \"latin1\" or \"none\" is supported",
NULL);
}
}
}
Expand Down
1 change: 1 addition & 0 deletions src/mod_auth_openidc.h
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ APLOG_USE_MODULE(auth_openidc);
/* pass as re-signed JWT including id_token claims */
#define OIDC_PASS_USERINFO_AS_SIGNED_JWT 4

#define OIDC_PASS_APP_INFO_AS_NONE 0
#define OIDC_PASS_APP_INFO_AS_BASE64URL 1
#define OIDC_PASS_APP_INFO_AS_LATIN1 2

Expand Down

0 comments on commit 28e79bf

Please sign in to comment.