Add option to not pass access_token to application

Adds OIDCPassAccessToken config option to control if the OIDC_access_token and OIDC_access_token_expires variables should be exposed to the client application.

ChangeLog

@@ -1,3 +1,6 @@
+07/12/2023
+- add support for hiding access_token from header/environment with OIDCPassAccessToken config option
+
 07/12/2023
 - add a sanity alg/enc check on self-encrypted AES GCM JWTs
 - bump to 2.4.14.3rc0

auth_openidc.conf

@@ -950,6 +950,11 @@
 # The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis.
 #OIDCPreservePost [On|Off]
 
+# Indicates whether the access token and access token expires will be passed to the application in a header/environment variable, according
+# to the OIDCPassClaimsAs directive.
+# Can be configured on a per Directory/Location basis. The default is "On".
+#OIDCPassAccessToken [On|Off]
+#
 # Indicates whether the refresh token will be passed to the application in a header/environment variable, according
 # to the OIDCPassClaimsAs directive.
 # Can be configured on a per Directory/Location basis. The default is "Off". 

src/config.c

@@ -125,6 +125,8 @@
 /* default for preserving POST parameters across authentication requests */
 #define OIDC_DEFAULT_PRESERVE_POST 0
 /* default for passing the access token in a header/environment variable */
+#define OIDC_DEFAULT_PASS_ACCESS_TOKEN 1
+/* default for passing the refresh token in a header/environment variable */
 #define OIDC_DEFAULT_PASS_REFRESH_TOKEN 0
 /* default for passing app info in headers */
 #define OIDC_DEFAULT_PASS_APP_INFO_IN_HEADERS 1
@@ -259,6 +261,7 @@
 #define OIDCUserInfoRefreshInterval            "OIDCUserInfoRefreshInterval"
 #define OIDCOAuthTokenIntrospectionInterval    "OIDCOAuthTokenIntrospectionInterval"
 #define OIDCPreservePost                       "OIDCPreservePost"
+#define OIDCPassAccessToken                    "OIDCPassAccessToken"
 #define OIDCPassRefreshToken                   "OIDCPassRefreshToken"
 #define OIDCRequestObject                      "OIDCRequestObject"
 #define OIDCProviderMetadataRefreshInterval    "OIDCProviderMetadataRefreshInterval"
@@ -298,6 +301,7 @@ typedef struct oidc_dir_cfg {
 	apr_hash_t *oauth_accept_token_options;
 	int oauth_token_introspect_interval;
 	int preserve_post;
+	int pass_access_token;
 	int pass_refresh_token;
 	oidc_apr_expr_t *path_auth_request_expr;
 	oidc_apr_expr_t *path_scope_expr;
@@ -2187,6 +2191,7 @@ void* oidc_create_dir_config(apr_pool_t *pool, char *path) {
 	c->oauth_accept_token_options = apr_hash_make(pool);
 	c->oauth_token_introspect_interval = -2;
 	c->preserve_post = OIDC_CONFIG_POS_INT_UNSET;
+	c->pass_access_token = OIDC_CONFIG_POS_INT_UNSET;
 	c->pass_refresh_token = OIDC_CONFIG_POS_INT_UNSET;
 	c->path_auth_request_expr = NULL;
 	c->path_scope_expr = NULL;
@@ -2265,6 +2270,14 @@ int oidc_cfg_dir_pass_info_encoding(request_rec *r) {
 	return dir_cfg->pass_info_as;
 }
 
+apr_byte_t oidc_cfg_dir_pass_access_token(request_rec *r) {
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+	if (dir_cfg->pass_access_token == OIDC_CONFIG_POS_INT_UNSET)
+		return OIDC_DEFAULT_PASS_ACCESS_TOKEN;
+	return dir_cfg->pass_access_token;
+}
+
 apr_byte_t oidc_cfg_dir_pass_refresh_token(request_rec *r) {
 	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
 			&auth_openidc_module);
@@ -2459,6 +2472,9 @@ void* oidc_merge_dir_config(apr_pool_t *pool, void *BASE, void *ADD) {
 	c->preserve_post =
 			add->preserve_post != OIDC_CONFIG_POS_INT_UNSET ?
 					add->preserve_post : base->preserve_post;
+	c->pass_access_token =
+			add->pass_access_token != OIDC_CONFIG_POS_INT_UNSET ?
+					add->pass_access_token : base->pass_access_token;
 	c->pass_refresh_token =
 			add->pass_refresh_token != OIDC_CONFIG_POS_INT_UNSET ?
 					add->pass_refresh_token : base->pass_refresh_token;
@@ -3624,6 +3640,11 @@ const command_rec oidc_config_cmds[] = {
 				(void *) APR_OFFSETOF(oidc_dir_cfg, preserve_post),
 				RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
 				"Indicates whether POST parameters will be preserved across authentication requests."),
+		AP_INIT_FLAG(OIDCPassAccessToken,
+				ap_set_flag_slot,
+				(void*)APR_OFFSETOF(oidc_dir_cfg, pass_access_token),
+				RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
+				"Pass the access token in a header and/or environment variable (On or Off)"),
 		AP_INIT_FLAG(OIDCPassRefreshToken,
 				ap_set_flag_slot,
 				(void*)APR_OFFSETOF(oidc_dir_cfg, pass_refresh_token),

src/mod_auth_openidc.c

@@ -1308,7 +1308,7 @@ static apr_byte_t oidc_session_pass_tokens(request_rec *r, oidc_cfg *cfg,
 
 	/* set the access_token in the app headers/variables */
 	const char *access_token = oidc_session_get_access_token(r, session);
-	if (access_token != NULL) {
+	if ((oidc_cfg_dir_pass_access_token(r) != 0) && access_token != NULL) {
 		/* pass it to the app in a header or environment variable */
 		oidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN, access_token,
 				OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars, pass_hdr_as);
@@ -1317,7 +1317,7 @@ static apr_byte_t oidc_session_pass_tokens(request_rec *r, oidc_cfg *cfg,
 	/* set the expiry timestamp in the app headers/variables */
 	const char *access_token_expires = oidc_session_get_access_token_expires(r,
 			session);
-	if (access_token_expires != NULL) {
+	if ((oidc_cfg_dir_pass_access_token(r) != 0) && access_token_expires != NULL) {
 		/* pass it to the app in a header or environment variable */
 		oidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN_EXP,
 				access_token_expires,

src/mod_auth_openidc.h

@@ -782,6 +782,7 @@ apr_byte_t oidc_cfg_dir_pass_info_in_headers(request_rec *r);
 apr_byte_t oidc_cfg_dir_pass_info_in_envvars(request_rec *r);
 int oidc_cfg_dir_pass_info_encoding(request_rec *r);
 apr_byte_t oidc_cfg_dir_pass_refresh_token(request_rec *r);
+apr_byte_t oidc_cfg_dir_pass_access_token(request_rec *r);
 apr_byte_t oidc_cfg_dir_accept_token_in(request_rec *r);
 char *oidc_cfg_dir_accept_token_in_option(request_rec *r, const char *key);
 int oidc_cfg_token_introspection_interval(request_rec *r);