From 481aabe0de3b01bacb639daf880cea486f3cf0ef Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Mon, 7 Jun 2021 12:32:50 +0200 Subject: [PATCH] release 3.2.2: depend on liboauth2 1.4.2.1 - with fixed iat slack validation defaults - set WWW-Authenticate environment variable to allow for complex Require logic; see https://github.com/zmartzone/mod_auth_openidc/discussions/572 Signed-off-by: Hans Zandbelt --- .gitignore | 3 +++ ChangeLog | 6 ++++++ configure.ac | 6 +++--- src/mod_oauth2.c | 19 ++++++++++++++++--- 4 files changed, 28 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index b55fa5b..0fa19c5 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,6 @@ /.settings/ /.libs/ /mod_oauth2.la +/config.guess~ +/config.sub~ +/configure~ diff --git a/ChangeLog b/ChangeLog index daf56f9..582f678 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +06/07/2021 +- depend on liboauth2 1.4.2.1 with fixed iat slack validation defaults +- set WWW-Authenticate environment variable to allow for complex Require logic; see + https://github.com/zmartzone/mod_auth_openidc/discussions/572 +- release 3.2.2 + 02/01/2021 - depend on liboauth2 1.4.1 with support for RFC 8705 mTLS Client Certificate bound access tokens - release 3.2.1 diff --git a/configure.ac b/configure.ac index 9ecf88d..71982dc 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([mod_oauth2],[3.2.1],[hans.zandbelt@zmartzone.eu]) +AC_INIT([mod_oauth2],[3.2.2],[hans.zandbelt@zmartzone.eu]) AM_INIT_AUTOMAKE([foreign no-define subdir-objects]) AC_CONFIG_MACRO_DIRS([m4]) @@ -32,11 +32,11 @@ PKG_CHECK_MODULES(APR, [apr-1, apr-util-1]) AC_SUBST(APR_CFLAGS) AC_SUBST(APR_LIBS) -PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.1]) +PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.2.1]) AC_SUBST(OAUTH2_CFLAGS) AC_SUBST(OAUTH2_LIBS) -PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.1]) +PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.2.1]) AC_SUBST(OAUTH2_APACHE_CFLAGS) AC_SUBST(OAUTH2_APACHE_LIBS) diff --git a/src/mod_oauth2.c b/src/mod_oauth2.c index 35d889a..d4ee99b 100644 --- a/src/mod_oauth2.c +++ b/src/mod_oauth2.c @@ -192,6 +192,8 @@ static int oauth2_check_user_id_handler(request_rec *r) return DECLINED; } +#define OAUTH2_BEARER_SCOPE_ERROR "OAUTH2_BEARER_SCOPE_ERROR" + static authz_status oauth2_authz_checker(request_rec *r, const char *require_args, const void *parsed_require_args, @@ -201,6 +203,7 @@ oauth2_authz_checker(request_rec *r, const char *require_args, oauth2_cfg_dir_t *cfg = NULL; oauth2_apache_request_ctx_t *ctx = NULL; authz_status rc = AUTHZ_DENIED_NO_USER; + const char *value = NULL; cfg = ap_get_module_config(r->per_dir_config, &oauth2_module); ctx = OAUTH2_APACHE_REQUEST_CTX(r, oauth2); @@ -217,12 +220,22 @@ oauth2_authz_checker(request_rec *r, const char *require_args, if (claims) json_decref(claims); - if ((rc == AUTHZ_DENIED) && ap_auth_type(r)) + if ((rc == AUTHZ_DENIED) && ap_auth_type(r)) { oauth2_apache_return_www_authenticate( cfg->source_token, ctx, HTTP_UNAUTHORIZED, - "insufficient_scope", // TODO: - // OAUTH2_ERROR_INSUFFICIENT_SCOPE, + OAUTH2_ERROR_INSUFFICIENT_SCOPE, "Different scope(s) or other claims required."); + value = apr_table_get(r->err_headers_out, + OAUTH2_HTTP_HDR_WWW_AUTHENTICATE); + apr_table_unset(r->err_headers_out, + OAUTH2_HTTP_HDR_WWW_AUTHENTICATE); + oauth2_debug(ctx->log, + "setting environment variable %s to \"%s\" for " + "usage in mod_headers", + OAUTH2_BEARER_SCOPE_ERROR, value); + apr_table_set(r->subprocess_env, OAUTH2_BEARER_SCOPE_ERROR, + value); + } oauth2_debug(ctx->log, "leave");