re-use expression from OIDCUnAuthAction for OIDCUnAutzAction stepup auth

when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes; see #1205; thanks @ryanwilliamnicholls Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Apr 3, 2024 · 0aa5431 · 0aa5431
1 parent 66b84a0
commit 0aa5431
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 2 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -92,3 +92,4 @@ reporting bugs, providing fixes, suggesting useful features or other:
 	Mattias Åsander <https://github.com/mattias-asander>
 	adg-mh <https://github.com/adg-mh>
 	David P. Discher <https://github.com/daviddpd>
+	ryanwilliamnicholls <https://github.com/ryanwilliamnicholls>
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+04/03/2024
+- when an expression is configured for OIDCUnAuthAction (i.e. in the 2nd argument), also apply
+  it to OIDCUnAutzAction so that it can be used to enable step-up authentication for SPAs with
+  non-conformant browsers (some versions of Safari) and in (potentially insecure) iframes
+  see #1205; thanks @ryanwilliamnicholls
+
 04/02/2024
 - major rewrite of config primitive handling:
   - split out over different files, use header files consistently

diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -956,6 +956,7 @@
 # Useful in Location/Directory/Proxy path contexts that need to do stepup authentication
 # Be aware that this will only work in combination with a single Require statement or RequireAll,
 # so using RequireAny and multiple Require statements is not supported.
+# Also for "auth", the expression argument for OIDCUnAuthAction is re-used here to detect XHR requests.
 # When not defined the default "403" is used. However Apache 2.4 will change this to 401 unless you set "AuthzSendForbiddenOnFailure on"
 #OIDCUnAutzAction [401|403|302|auth] [<argument>]
 
@@ -1029,7 +1030,7 @@
 # Supported metrics classes are:
 #   authtype        Request counter, overall and per AuthType: openid-connect, oauth20 and auth-openidc.
 #   authn           Authentication request creation and response processing.
-#   authz           Authorization errors per OIDCUnAuthzAction (per Require statement, not overall).
+#   authz           Authorization errors per OIDCUnAutzAction (per Require statement, not overall).
 #   require.claim   Match/failure count of Require claim directives (per Require statement, not overall).
 #   provider        Requests to the provider [token, userinfo, metadata] endpoints.
 #   session         Existing session processing.

diff --git a/src/handle/authz.c b/src/handle/authz.c
@@ -499,8 +499,16 @@ static authz_status oidc_authz_24_unauthorized_user(request_rec *r) {
 		 * exception handling: if this looks like an HTTP request that cannot
 		 * complete an authentication round trip to the provider, we
 		 * won't redirect the user and thus avoid creating a state cookie
+		 *
+		 * NB: when the expression argument to OIDCUnAuthAction is configured,
+		 * it is re-used here to detect XHR requests.
 		 */
-		if (oidc_is_auth_capable_request(r) == FALSE) {
+		if (oidc_cfg_dir_unauth_expr_is_set(r) == TRUE) {
+			if (oidc_cfg_dir_unauth_action_get(r) != OIDC_UNAUTH_AUTHENTICATE) {
+				OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHZ_ACTION_401);
+				return AUTHZ_DENIED;
+			}
+		} else if (oidc_is_auth_capable_request(r) == FALSE) {
 			OIDC_METRICS_COUNTER_INC(r, c, OM_AUTHZ_ACTION_401);
 			return AUTHZ_DENIED;
 		}