diff --git a/ChangeLog b/ChangeLog index 9d4cc4f7..784ce0fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +11/02/2023 +- apply ISO-8859-1 ("latin1") as default encoding mechanism for claim values passed in headers and environment + variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use "OIDCPassClaimsAs none" + for backwards compatibility +- bump to 2.4.15rc3 + 11/01/2023 - avoid warnings on cache misses (regression introduced in 2.4.15rc1) - bump to 2.4.15rc2 diff --git a/auth_openidc.conf b/auth_openidc.conf index 4398d696..b666fa97 100644 --- a/auth_openidc.conf +++ b/auth_openidc.conf @@ -843,15 +843,16 @@ # "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) # "both": claims/tokens are passed as both headers as well as environment variables (default) # -# "base64url" can be specified as the 2nd argument to apply base64url encoding to all values passed -# in headers. Alternatively the "latin1" option can be specified to apply ISO-8859-1 encoding to all -# values passed in headers as well as environment variables, which may result in out of bound -# characters converted to the "?" character. -# When not defined the default is "both" and no encoding is applied to the header/environment values. +# A second parameter can be specified that defines the encodong applied to all values passed in headers +# and environment variables: +# "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character. +# "base64url" applies base64url encoding +# "none" applies no encoding and copies literal values from the claims into the headers/environment variables +# When not defined the default is "both" and "latin1" encoding is applied to the header/environment values. # # The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. # The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken) -#OIDCPassClaimsAs [none|headers|environment|both] [base64url|latin1] +#OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none] # Specify the HTTP header variable name to set with the name of the authenticated user, # i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim. diff --git a/configure.ac b/configure.ac index 90409a7a..c0961ace 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_openidc],[2.4.15rc2],[hans.zandbelt@openidc.com]) +AC_INIT([mod_auth_openidc],[2.4.15rc3],[hans.zandbelt@openidc.com]) AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) diff --git a/src/config.c b/src/config.c index 5cadc979..66fb78bf 100644 --- a/src/config.c +++ b/src/config.c @@ -145,7 +145,7 @@ /* default for passing app info in environment variables */ #define OIDC_DEFAULT_PASS_APP_INFO_IN_ENVVARS 1 /* default for passing app info in base64 encoded format */ -#define OIDC_DEFAULT_PASS_APP_INFO_HDR_AS 0 +#define OIDC_DEFAULT_PASS_APP_INFO_HDR_AS OIDC_PASS_APP_INFO_AS_LATIN1 /* default value for the token introspection interval (0 = disabled, no expiry of claims) */ #define OIDC_DEFAULT_TOKEN_INTROSPECTION_INTERVAL 0 /* default action to take on an incoming unauthenticated request */ @@ -1128,6 +1128,7 @@ static const char* oidc_set_remote_user_claim(cmd_parms *cmd, void *struct_ptr, /* * define how to pass claims information to the application: in headers and/or environment variables + * and optionally specify the encoding applied to the values */ static const char* oidc_set_pass_claims_as(cmd_parms *cmd, void *m, const char *arg1, const char *arg2) { @@ -1140,11 +1141,14 @@ static const char* oidc_set_pass_claims_as(cmd_parms *cmd, void *m, dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_BASE64URL; } else if (_oidc_strcmp(arg2, "latin1") == 0) { dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_LATIN1; + } else if (_oidc_strcmp(arg2, "none") == 0) { + dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_NONE; } else { - rv = apr_pstrcat(cmd->temp_pool, "unknown encoding option \"", - arg2, - "\", only \"base64url\" or \"latin1\" is supported", - NULL); + rv = + apr_pstrcat(cmd->temp_pool, + "unknown encoding option \"", arg2, + "\", only \"base64url\", \"latin1\" or \"none\" is supported", + NULL); } } } diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h index f49081aa..1ea6fe24 100644 --- a/src/mod_auth_openidc.h +++ b/src/mod_auth_openidc.h @@ -162,6 +162,7 @@ APLOG_USE_MODULE(auth_openidc); /* pass as re-signed JWT including id_token claims */ #define OIDC_PASS_USERINFO_AS_SIGNED_JWT 4 +#define OIDC_PASS_APP_INFO_AS_NONE 0 #define OIDC_PASS_APP_INFO_AS_BASE64URL 1 #define OIDC_PASS_APP_INFO_AS_LATIN1 2