remove workarounds for Google; release 1.8.3

OpenIDC · Jun 19, 2015 · 89f40fb · 89f40fb
1 parent f7468e6
commit 89f40fb
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 27 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,7 @@
 6/19/2015
 - make public keys for encrypted access tokens available in OAuth-only configurations; fixes #74
+- remove exceptions for accounts.google.com since Google is OpenID Connect compliant now
+- release 1.8.3
 
 6/15/2015
 - add a complete JWT sample that includes validation of "exp" and "iat" to the test suite

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[1.8.3rc4],[[email protected]])
+AC_INIT([mod_auth_openidc],[1.8.3],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+libapache2-mod-auth-openidc (1.8.3-1) unstable; urgency=medium
+
+  * remove accounts.google.com exceptions
+
+ -- Hans Zandbelt <[email protected]>  Fri, 19 Jun 2015 19:15:02 +0200
+
 libapache2-mod-auth-openidc (1.8.2-1) unstable; urgency=medium
 
   * Elliptic Curve fixes

diff --git a/src/metadata.c b/src/metadata.c
@@ -102,8 +102,7 @@ static const char *oidc_metadata_filename_to_issuer(request_rec *r,
 	char *p = strrchr(result, '.');
 	*p = '\0';
 	p = oidc_util_unescape_string(r, result);
-	return (strcmp(p, "accounts.google.com") == 0) ?
-			p : apr_psprintf(r->pool, "https://%s", p);
+	return apr_psprintf(r->pool, "https://%s", p);
 }
 
 /*

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -1421,18 +1421,6 @@ static int oidc_authenticate_user(request_rec *r, oidc_cfg *c,
 	/* create state that restores the context when the authorization response comes in; cryptographically bind it to the browser */
 	oidc_authorization_request_set_cookie(r, c, state, proto_state);
 
-	/*
-	 * TODO: I'd like to include the nonce all flows, including the "code" and "code token" flows
-	 * but Google does not allow me to do that:
-	 * Error: invalid_request: Parameter not allowed for this message type: nonce
-	 */
-	if ((apr_strnatcmp(provider->issuer, "accounts.google.com") == 0)
-			&& ((oidc_util_spaced_string_equals(r->pool,
-					provider->response_type, "code"))
-					|| (oidc_util_spaced_string_equals(r->pool,
-							provider->response_type, "code token"))))
-		json_object_del(proto_state, "nonce");
-
 	/*
 	 * printout errors if Cookie settings are not going to work
 	 */
@@ -1609,13 +1597,6 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
 
 		/* issuer is set now, so let's continue as planned */
 
-	} else if (apr_strnatcmp(issuer, "accounts.google.com") != 0) {
-
-		/* allow issuer/domain entries that don't start with https */
-		issuer = apr_psprintf(r->pool, "%s",
-				((strstr(issuer, "http://") == issuer)
-						|| (strstr(issuer, "https://") == issuer)) ?
-						issuer : apr_psprintf(r->pool, "https://%s", issuer));
 	}
 
 	/* strip trailing '/' */

diff --git a/src/proto.c b/src/proto.c
@@ -1368,11 +1368,6 @@ static apr_byte_t oidc_proto_parse_idtoken_and_validate_code(request_rec *r,
 
 	json_t *nonce = json_object_get(proto_state, "nonce");
 
-	/* TODO: Google does not allow nonce in "code" or "code token" flows... */
-	if ((is_code_flow)
-			&& (strcmp(provider->issuer, "accounts.google.com") == 0))
-		nonce = NULL;
-
 	if (oidc_proto_parse_idtoken(r, c, provider, id_token,
 			nonce ? json_string_value(nonce) : NULL, jwt, is_code_flow) == FALSE)
 		return FALSE;