Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mod_auth_openidc.c: perform authentication for sub-requests #487

Merged
merged 2 commits into from
Sep 19, 2020
Merged

mod_auth_openidc.c: perform authentication for sub-requests #487

merged 2 commits into from
Sep 19, 2020

Conversation

spanglerco
Copy link
Contributor

Fixes the issue described in https://groups.google.com/forum/#!topic/mod_auth_openidc/ghZzUXG_ggY

When Apache performs a sub-request from a route that doesn't require authentication (e.g. Require all granted) to one that requires authentication (e.g. Require valid-user), mod_auth_openidc was skipping the authentication step. This change inverts the if (ap_is_initial_req(r)) to run what used to be the else case first. Then we run the code that attempts to authenticate whether we're on a sub-request or not.

Other than reordering the code and changing the if-else, the only other changes were to comments.

Testing

  • make test passes
  • Created a test conf: 
     OIDCCryptoPassphrase ...
 OIDCRedirectURI /oidctest/restricted/redirect
 OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
 OIDCClientID ...
 OIDCClientSecret ...
 OIDCScope "openid email profile"

 <Directory /var/www/html/oidctest>
 	AuthType openid-connect
 	Header set Cache-Control no-store
 	RewriteEngine On
 	RewriteRule ^index.html$ restricted/subreq.html
 </Directory>

 <Directory /var/www/html/oidctest/restricted>
 	Require valid-user
 </Directory>
  • Without this change, making a request to /oidctest/ redirects to Google and then back even if I'm already logged in: 
    x.x.x.x - - [18/Sep/2020:11:13:25 -0500] "GET /oidctest/ HTTP/1.1" 302 1920 "-" "Mozilla/5.0 ..."
x.x.x.x - [email protected] [18/Sep/2020:11:13:26 -0500] "GET /oidctest/restricted/redirect?state=... HTTP/1.1" 302 896 "-" "Mozilla/5.0 ..."
x.x.x.x - [email protected] [18/Sep/2020:11:13:27 -0500] "GET /oidctest/restricted/subreq.html HTTP/1.1" 200 446 "-" "Mozilla/5.0 ..."
x.x.x.x - - [18/Sep/2020:11:13:38 -0500] "GET /oidctest/ HTTP/1.1" 302 1919 "-" "Mozilla/5.0 ..."
x.x.x.x - [email protected] [18/Sep/2020:11:13:39 -0500] "GET /oidctest/restricted/redirect?state=... HTTP/1.1" 302 896 "-" "Mozilla/5.0 ..."
x.x.x.x - [email protected] [18/Sep/2020:11:13:39 -0500] "GET /oidctest/restricted/subreq.html HTTP/1.1" 200 446 "-" "Mozilla/5.0 ..."
  • With this change, making a request to /oidctest/ successfully returns the restricted content if I'm already logged in: 
    x.x.x.x - - [18/Sep/2020:11:50:47 -0500] "GET /oidctest/ HTTP/1.1" 302 1919 "-" "Mozilla/5.0 ..."
x.x.x.x - [email protected] [18/Sep/2020:11:50:48 -0500] "GET /oidctest/restricted/redirect?state=... HTTP/1.1" 302 896 "-" "Mozilla/5.0 ..."
x.x.x.x - [email protected] [18/Sep/2020:11:50:49 -0500] "GET /oidctest/restricted/subreq.html HTTP/1.1" 200 446 "-" "Mozilla/5.0 ..."
x.x.x.x - [email protected] [18/Sep/2020:11:50:56 -0500] "GET /oidctest/ HTTP/1.1" 200 447 "-" "Mozilla/5.0 ..."

@zandbelt
Copy link
Member

that seems ok indeed; if you could add something to the ChangeLog and add yourself to the AUTHORS, I can merge

@spanglerco
Copy link
Contributor Author

@zandbelt done, thanks

@zandbelt zandbelt merged commit 386a3ec into OpenIDC:master Sep 19, 2020
@spanglerco spanglerco deleted the subreq branch September 19, 2020 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spanglerco @zandbelt