don't apply authz to the redirect URI; bump to 2.4.9.3

fixes ac56864

Signed-off-by: Hans Zandbelt <[email protected]>

ChangeLog

@@ -1,3 +1,6 @@
+08/26/2021
+- don't apply authz to the redirect URI; fixes ac5686495a51bc93e257e42bfdc9c9c46252feb1
+
 08/20/2021
 - fix graceful restart (regression); see #458; thanks @Foxite
 - bump to 2.4.9.2

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.9.2],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.9.3],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/mod_auth_openidc.c

@@ -4030,11 +4030,16 @@ authz_status oidc_authz_checker(request_rec *r, const char *require_args,
 
 	oidc_debug(r, "enter: require_args=\"%s\"", require_args);
 
+	oidc_cfg *c = ap_get_module_config(r->server->module_config,
+			&auth_openidc_module);
+
 	/* check for anonymous access and PASS mode */
 	if (r->user != NULL && strlen(r->user) == 0) {
 		r->user = NULL;
 		if (oidc_dir_cfg_unauth_action(r) == OIDC_UNAUTH_PASS)
 			return AUTHZ_GRANTED;
+		if (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, c)) == TRUE)
+			return AUTHZ_GRANTED;
 	}
 
 	/* get the set of claims from the request state (they've been set in the authentication part earlier */
@@ -4114,11 +4119,16 @@ static int oidc_handle_unauthorized_user22(request_rec *r) {
  */
 int oidc_auth_checker(request_rec *r) {
 
+	oidc_cfg *c = ap_get_module_config(r->server->module_config,
+			&auth_openidc_module);
+
 	/* check for anonymous access and PASS mode */
 	if (r->user != NULL && strlen(r->user) == 0) {
 		r->user = NULL;
 		if (oidc_dir_cfg_unauth_action(r) == OIDC_UNAUTH_PASS)
 			return OK;
+		if (oidc_util_request_matches_url(r, oidc_get_redirect_uri(r, c)) == TRUE)
+			return OK;
 	}
 
 	/* get the set of claims from the request state (they've been set in the authentication part earlier */