allow relative values in OIDCDefaultURL and OIDCDefaultLoggedOutURL

bump to 2.4.14.3rc3 Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Jul 18, 2023 · 85ca240 · 85ca240
1 parent 31c3109
commit 85ca240
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 24 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+07/18/2023
+- allow relative values in OIDCDefaultURL and OIDCDefaultLoggedOutURL
+- bump to 2.4.14.3rc3
+
 07/14/2023
 - fix session updates on userinfo requests; see https://github.com/OpenIDC/mod_auth_openidc/discussions/1077
   this bug was introduced in v2.4.11 with d9fff154ee6ee8a7e4e969dd6a68cbaf18354598

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.14.3rc2],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.14.3rc3],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/config.c b/src/config.c
@@ -3301,12 +3301,12 @@ const command_rec oidc_config_cmds[] = {
 				RSRC_CONF,
 				"Define the Redirect URI (e.g.: https://localhost:9031/protected/example/)"),
 		AP_INIT_TAKE1(OIDCDefaultURL,
-				oidc_set_url_slot,
+				oidc_set_relative_or_absolute_url_slot,
 				(void *)APR_OFFSETOF(oidc_cfg, default_sso_url),
 				RSRC_CONF,
 				"Defines the default URL where the user is directed to in case of 3rd-party initiated SSO."),
 		AP_INIT_TAKE1(OIDCDefaultLoggedOutURL,
-				oidc_set_url_slot,
+				oidc_set_relative_or_absolute_url_slot,
 				(void *)APR_OFFSETOF(oidc_cfg, default_slo_url),
 				RSRC_CONF,
 				"Defines the default URL where the user is directed to after logout."),

diff --git a/src/metadata.c b/src/metadata.c
@@ -586,7 +586,8 @@ static apr_byte_t oidc_metadata_client_register(request_rec *r, oidc_cfg *cfg,
 
 	if (cfg->default_slo_url != NULL) {
 		json_object_set_new(data, OIDC_METADATA_POST_LOGOUT_REDIRECT_URIS,
-				json_pack("[s]", cfg->default_slo_url));
+				json_pack("[s]",
+						oidc_get_absolute_url(r, cfg, cfg->default_slo_url)));
 	}
 
 	/* add any custom JSON in to the registration request */

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -1674,7 +1674,8 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
 
 	if (rv == OIDC_REFRESH_ERROR) {
 		*needs_save = FALSE;
-		return oidc_handle_logout_request(r, cfg, session, cfg->default_slo_url);
+		return oidc_handle_logout_request(r, cfg, session,
+				oidc_get_absolute_url(r, cfg, cfg->default_slo_url));
 	}
 
 	*needs_save |= rv;
@@ -2135,8 +2136,8 @@ static int oidc_handle_authorization_response(request_rec *r, oidc_cfg *c,
 			oidc_warn(r,
 					"invalid authorization response state; a default SSO URL is set, sending the user there: %s",
 					c->default_sso_url);
-			oidc_util_hdr_out_location_set(r, c->default_sso_url);
-			//oidc_util_hdr_err_out_add(r, "Location", c->default_sso_url));
+			oidc_util_hdr_out_location_set(r,
+					oidc_get_absolute_url(r, c, c->default_sso_url));
 			return HTTP_MOVED_TEMPORARILY;
 		}
 		oidc_error(r,
@@ -2843,7 +2844,8 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
 					"SSO to this module without specifying a \"target_link_uri\" parameter is not possible because " OIDCDefaultURL " is not set.",
 					HTTP_INTERNAL_SERVER_ERROR);
 		}
-		target_link_uri = c->default_sso_url;
+		target_link_uri = apr_pstrdup(r->pool,
+				oidc_get_absolute_url(r, c, c->default_sso_url));
 	}
 
 	/* do open redirect prevention, step 1 */
@@ -3409,7 +3411,8 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg *c,
 
 	if ((url == NULL) || (_oidc_strcmp(url, "") == 0)) {
 
-		url = c->default_slo_url;
+		url = apr_pstrdup(r->pool,
+				oidc_get_absolute_url(r, c, c->default_slo_url));
 
 	} else {
 
@@ -3618,7 +3621,8 @@ static int oidc_handle_session_management(request_rec *r, oidc_cfg *c,
 	if (_oidc_strcmp("logout", cmd) == 0) {
 		oidc_debug(r,
 				"[session=logout] calling oidc_handle_logout_request because of session mgmt local logout call.");
-		return oidc_handle_logout_request(r, c, session, c->default_slo_url);
+		return oidc_handle_logout_request(r, c, session,
+				oidc_get_absolute_url(r, c, c->default_slo_url));
 	}
 
 	if (oidc_get_provider_from_session(r, c, session, &provider) == FALSE) {
@@ -4659,15 +4663,16 @@ int oidc_content_handler(request_rec *r) {
 				OIDC_REDIRECT_URI_REQUEST_INFO)) {
 
 			/* see if a session was retained in the request state */
-			apr_pool_userdata_get((void**) &session, OIDC_USERDATA_SESSION, r->pool);
+			apr_pool_userdata_get((void**) &session, OIDC_USERDATA_SESSION,
+					r->pool);
 
 			/* if no retained session was found, load it from the cache or create a new one*/
 			if (session == NULL)
 				oidc_session_load(r, &session);
 
 			/*
 			 * see if the request state indicates that the (retained)
-			 * session was modified and needs to be updated in the cach
+			 * session was modified and needs to be updated in the cache
 			 */
 			needs_save = (oidc_request_state_get(r, OIDC_REQUEST_STATE_KEY_SAVE)
 					!= NULL);

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -819,6 +819,7 @@ int oidc_base64url_encode(request_rec *r, char **dst, const char *src, int src_l
 int oidc_base64url_decode(apr_pool_t *pool, char **dst, const char *src);
 const char *oidc_get_current_url_host(request_rec *r, const apr_byte_t x_forwarded_headers);
 char *oidc_get_current_url(request_rec *r, const apr_byte_t x_forwarded_headers);
+const char *oidc_get_absolute_url(request_rec *r, oidc_cfg *cfg, const char *url);
 const char *oidc_get_redirect_uri(request_rec *r, oidc_cfg *c);
 const char *oidc_get_redirect_uri_iss(request_rec *r, oidc_cfg *c, oidc_provider_t *provider);
 char *oidc_url_encode(const request_rec *r, const char *str, const char *charsToEncode);

diff --git a/src/util.c b/src/util.c
@@ -793,22 +793,24 @@ char* oidc_get_current_url(request_rec *r, const apr_byte_t x_forwarded_headers)
 }
 
 /*
- * determine absolute redirect uri
+ * infer a full absolute URL from the (optional) relative one
  */
-const char* oidc_get_redirect_uri(request_rec *r, oidc_cfg *cfg) {
-
-	char *redirect_uri = cfg->redirect_uri;
-
-	if ((redirect_uri != NULL)
-			&& (redirect_uri[0] == OIDC_CHAR_FORWARD_SLASH)) {
-		// relative redirect uri
-
-		redirect_uri = apr_pstrcat(r->pool, oidc_get_current_url_base(r, cfg->x_forwarded_headers),
+const char *oidc_get_absolute_url(request_rec *r, oidc_cfg *cfg, const char *url) {
+	if ((url != NULL)
+			&& (url[0] == OIDC_CHAR_FORWARD_SLASH)) {
+		url = apr_pstrcat(r->pool, oidc_get_current_url_base(r, cfg->x_forwarded_headers),
 				cfg->redirect_uri, NULL);
 
-		oidc_debug(r, "determined absolute redirect uri: %s", redirect_uri);
+		oidc_debug(r, "determined absolute url: %s", url);
 	}
-	return redirect_uri;
+	return url;
+}
+
+/*
+ * determine absolute Redirect URI
+ */
+const char* oidc_get_redirect_uri(request_rec *r, oidc_cfg *cfg) {
+	return oidc_get_absolute_url(r, cfg, cfg->redirect_uri);
 }
 
 /*