diff --git a/ChangeLog b/ChangeLog index de75a568..6c4660c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +07/14/2023 +- fix session updates on userinfo requests; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1077 + this bug was introduced in v2.4.11 with d9fff154ee6ee8a7e4e969dd6a68cbaf18354598 +- bump to 2.4.14.3rc2 + 07/12/2023 - add a sanity alg/enc check on self-encrypted AES GCM JWTs - add `OIDCPassAccessToken Off` option to disable (the default of) passing the access token and its expiry diff --git a/configure.ac b/configure.ac index f1ddc5f3..3a78817e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_openidc],[2.4.14.3rc1],[hans.zandbelt@openidc.com]) +AC_INIT([mod_auth_openidc],[2.4.14.3rc2],[hans.zandbelt@openidc.com]) AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 87a6439a..02b20df6 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -4139,6 +4139,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c, // need to establish user/claims for authorization purposes rc = oidc_handle_existing_session(r, c, session, &needs_save); + apr_pool_userdata_set(oidc_session_copy(r, session), OIDC_USERDATA_SESSION, NULL, r->pool); + if (needs_save) oidc_request_state_set(r, OIDC_REQUEST_STATE_KEY_SAVE, ""); @@ -4649,7 +4651,11 @@ int oidc_content_handler(request_rec *r) { if (oidc_util_request_has_parameter(r, OIDC_REDIRECT_URI_REQUEST_INFO)) { - oidc_session_load(r, &session); + apr_pool_userdata_get((void**) &session, OIDC_USERDATA_SESSION, r->pool); + if (session == NULL) { + oidc_error(r, "session could not be found in userdata pool"); + return HTTP_INTERNAL_SERVER_ERROR; + } needs_save = (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_SAVE) != NULL); diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h index 169744ba..a8f1c214 100644 --- a/src/mod_auth_openidc.h +++ b/src/mod_auth_openidc.h @@ -196,6 +196,7 @@ APLOG_USE_MODULE(auth_openidc); /* the (global) key for the mod_auth_openidc related state that is stored in the request userdata context */ #define OIDC_USERDATA_KEY "mod_auth_openidc_state" +#define OIDC_USERDATA_SESSION "mod_auth_openidc_session" #define OIDC_USERDATA_POST_PARAMS_KEY "oidc_userdata_post_params" /* input filter hook name */ @@ -961,6 +962,7 @@ apr_byte_t oidc_session_free(request_rec *r, oidc_session_t *z); apr_byte_t oidc_session_extract(request_rec *r, oidc_session_t *z); apr_byte_t oidc_session_load_cache_by_uuid(request_rec *r, oidc_cfg *c, const char *uuid, oidc_session_t *z); void oidc_session_id_new(request_rec *r, oidc_session_t *z); +oidc_session_t *oidc_session_copy(request_rec *r, oidc_session_t *z); void oidc_session_set_userinfo_jwt(request_rec *r, oidc_session_t *z, const char *userinfo_jwt); const char * oidc_session_get_userinfo_jwt(request_rec *r, oidc_session_t *z); diff --git a/src/session.c b/src/session.c index 4184bbe1..b6966112 100644 --- a/src/session.c +++ b/src/session.c @@ -122,6 +122,21 @@ static void oidc_session_clear(request_rec *r, oidc_session_t *z) { } } +oidc_session_t *oidc_session_copy(request_rec *r, oidc_session_t *z) { + oidc_session_t *zz = apr_pcalloc(r->pool, sizeof(oidc_session_t)); + oidc_session_clear(r, zz); + zz->expiry = z->expiry; + if (z->remote_user) + zz->remote_user = apr_pstrdup(r->pool, z->remote_user); + if (z->sid) + zz->sid = apr_pstrdup(r->pool, z->sid); + if (z->state) + zz->state = json_deep_copy(z->state); + if (z->uuid) + zz->uuid = apr_pstrdup(r->pool, z->uuid); + return zz; +} + apr_byte_t oidc_session_load_cache_by_uuid(request_rec *r, oidc_cfg *c, const char *uuid, oidc_session_t *z) { const char *stored_uuid = NULL;