Skip to content

Commit

Permalink
release 3.2.2: depend on liboauth2 1.4.2.1
Browse files Browse the repository at this point in the history
- with fixed iat slack validation defaults
- set WWW-Authenticate environment variable to allow for complex Require
logic; see
  OpenIDC/mod_auth_openidc#572

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
  • Loading branch information
zandbelt committed Jun 7, 2021
1 parent a2b2187 commit 481aabe
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 6 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,6 @@
/.settings/
/.libs/
/mod_oauth2.la
/config.guess~
/config.sub~
/configure~
6 changes: 6 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
06/07/2021
- depend on liboauth2 1.4.2.1 with fixed iat slack validation defaults
- set WWW-Authenticate environment variable to allow for complex Require logic; see
https://github.com/zmartzone/mod_auth_openidc/discussions/572
- release 3.2.2

02/01/2021
- depend on liboauth2 1.4.1 with support for RFC 8705 mTLS Client Certificate bound access tokens
- release 3.2.1
Expand Down
6 changes: 3 additions & 3 deletions configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
AC_INIT([mod_oauth2],[3.2.1],[hans.zandbelt@zmartzone.eu])
AC_INIT([mod_oauth2],[3.2.2],[hans.zandbelt@zmartzone.eu])

AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
AC_CONFIG_MACRO_DIRS([m4])
Expand Down Expand Up @@ -32,11 +32,11 @@ PKG_CHECK_MODULES(APR, [apr-1, apr-util-1])
AC_SUBST(APR_CFLAGS)
AC_SUBST(APR_LIBS)

PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.1])
PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.2.1])
AC_SUBST(OAUTH2_CFLAGS)
AC_SUBST(OAUTH2_LIBS)

PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.1])
PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.2.1])
AC_SUBST(OAUTH2_APACHE_CFLAGS)
AC_SUBST(OAUTH2_APACHE_LIBS)

Expand Down
19 changes: 16 additions & 3 deletions src/mod_oauth2.c
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,8 @@ static int oauth2_check_user_id_handler(request_rec *r)
return DECLINED;
}

#define OAUTH2_BEARER_SCOPE_ERROR "OAUTH2_BEARER_SCOPE_ERROR"

static authz_status
oauth2_authz_checker(request_rec *r, const char *require_args,
const void *parsed_require_args,
Expand All @@ -201,6 +203,7 @@ oauth2_authz_checker(request_rec *r, const char *require_args,
oauth2_cfg_dir_t *cfg = NULL;
oauth2_apache_request_ctx_t *ctx = NULL;
authz_status rc = AUTHZ_DENIED_NO_USER;
const char *value = NULL;

cfg = ap_get_module_config(r->per_dir_config, &oauth2_module);
ctx = OAUTH2_APACHE_REQUEST_CTX(r, oauth2);
Expand All @@ -217,12 +220,22 @@ oauth2_authz_checker(request_rec *r, const char *require_args,
if (claims)
json_decref(claims);

if ((rc == AUTHZ_DENIED) && ap_auth_type(r))
if ((rc == AUTHZ_DENIED) && ap_auth_type(r)) {
oauth2_apache_return_www_authenticate(
cfg->source_token, ctx, HTTP_UNAUTHORIZED,
"insufficient_scope", // TODO:
// OAUTH2_ERROR_INSUFFICIENT_SCOPE,
OAUTH2_ERROR_INSUFFICIENT_SCOPE,
"Different scope(s) or other claims required.");
value = apr_table_get(r->err_headers_out,
OAUTH2_HTTP_HDR_WWW_AUTHENTICATE);
apr_table_unset(r->err_headers_out,
OAUTH2_HTTP_HDR_WWW_AUTHENTICATE);
oauth2_debug(ctx->log,
"setting environment variable %s to \"%s\" for "
"usage in mod_headers",
OAUTH2_BEARER_SCOPE_ERROR, value);
apr_table_set(r->subprocess_env, OAUTH2_BEARER_SCOPE_ERROR,
value);
}

oauth2_debug(ctx->log, "leave");

Expand Down

0 comments on commit 481aabe

Please sign in to comment.