diff --git a/ChangeLog b/ChangeLog index 3720ca3d..2f7fc44b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +07/12/2023 +- add support for hiding access_token from header/environment with OIDCPassAccessToken config option + 07/12/2023 - add a sanity alg/enc check on self-encrypted AES GCM JWTs - bump to 2.4.14.3rc0 diff --git a/auth_openidc.conf b/auth_openidc.conf index b53538ba..4459d06c 100644 --- a/auth_openidc.conf +++ b/auth_openidc.conf @@ -950,6 +950,11 @@ # The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis. #OIDCPreservePost [On|Off] +# Indicates whether the access token and access token expires will be passed to the application in a header/environment variable, according +# to the OIDCPassClaimsAs directive. +# Can be configured on a per Directory/Location basis. The default is "On". +#OIDCPassAccessToken [On|Off] +# # Indicates whether the refresh token will be passed to the application in a header/environment variable, according # to the OIDCPassClaimsAs directive. # Can be configured on a per Directory/Location basis. The default is "Off". diff --git a/src/config.c b/src/config.c index a0c1c27b..a6953b00 100644 --- a/src/config.c +++ b/src/config.c @@ -125,6 +125,8 @@ /* default for preserving POST parameters across authentication requests */ #define OIDC_DEFAULT_PRESERVE_POST 0 /* default for passing the access token in a header/environment variable */ +#define OIDC_DEFAULT_PASS_ACCESS_TOKEN 1 +/* default for passing the refresh token in a header/environment variable */ #define OIDC_DEFAULT_PASS_REFRESH_TOKEN 0 /* default for passing app info in headers */ #define OIDC_DEFAULT_PASS_APP_INFO_IN_HEADERS 1 @@ -259,6 +261,7 @@ #define OIDCUserInfoRefreshInterval "OIDCUserInfoRefreshInterval" #define OIDCOAuthTokenIntrospectionInterval "OIDCOAuthTokenIntrospectionInterval" #define OIDCPreservePost "OIDCPreservePost" +#define OIDCPassAccessToken "OIDCPassAccessToken" #define OIDCPassRefreshToken "OIDCPassRefreshToken" #define OIDCRequestObject "OIDCRequestObject" #define OIDCProviderMetadataRefreshInterval "OIDCProviderMetadataRefreshInterval" @@ -298,6 +301,7 @@ typedef struct oidc_dir_cfg { apr_hash_t *oauth_accept_token_options; int oauth_token_introspect_interval; int preserve_post; + int pass_access_token; int pass_refresh_token; oidc_apr_expr_t *path_auth_request_expr; oidc_apr_expr_t *path_scope_expr; @@ -2187,6 +2191,7 @@ void* oidc_create_dir_config(apr_pool_t *pool, char *path) { c->oauth_accept_token_options = apr_hash_make(pool); c->oauth_token_introspect_interval = -2; c->preserve_post = OIDC_CONFIG_POS_INT_UNSET; + c->pass_access_token = OIDC_CONFIG_POS_INT_UNSET; c->pass_refresh_token = OIDC_CONFIG_POS_INT_UNSET; c->path_auth_request_expr = NULL; c->path_scope_expr = NULL; @@ -2265,6 +2270,14 @@ int oidc_cfg_dir_pass_info_encoding(request_rec *r) { return dir_cfg->pass_info_as; } +apr_byte_t oidc_cfg_dir_pass_access_token(request_rec *r) { + oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, + &auth_openidc_module); + if (dir_cfg->pass_access_token == OIDC_CONFIG_POS_INT_UNSET) + return OIDC_DEFAULT_PASS_ACCESS_TOKEN; + return dir_cfg->pass_access_token; +} + apr_byte_t oidc_cfg_dir_pass_refresh_token(request_rec *r) { oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config, &auth_openidc_module); @@ -2459,6 +2472,9 @@ void* oidc_merge_dir_config(apr_pool_t *pool, void *BASE, void *ADD) { c->preserve_post = add->preserve_post != OIDC_CONFIG_POS_INT_UNSET ? add->preserve_post : base->preserve_post; + c->pass_access_token = + add->pass_access_token != OIDC_CONFIG_POS_INT_UNSET ? + add->pass_access_token : base->pass_access_token; c->pass_refresh_token = add->pass_refresh_token != OIDC_CONFIG_POS_INT_UNSET ? add->pass_refresh_token : base->pass_refresh_token; @@ -3624,6 +3640,11 @@ const command_rec oidc_config_cmds[] = { (void *) APR_OFFSETOF(oidc_dir_cfg, preserve_post), RSRC_CONF|ACCESS_CONF|OR_AUTHCFG, "Indicates whether POST parameters will be preserved across authentication requests."), + AP_INIT_FLAG(OIDCPassAccessToken, + ap_set_flag_slot, + (void*)APR_OFFSETOF(oidc_dir_cfg, pass_access_token), + RSRC_CONF|ACCESS_CONF|OR_AUTHCFG, + "Pass the access token in a header and/or environment variable (On or Off)"), AP_INIT_FLAG(OIDCPassRefreshToken, ap_set_flag_slot, (void*)APR_OFFSETOF(oidc_dir_cfg, pass_refresh_token), diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 4dfb47d4..87a6439a 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -1308,7 +1308,7 @@ static apr_byte_t oidc_session_pass_tokens(request_rec *r, oidc_cfg *cfg, /* set the access_token in the app headers/variables */ const char *access_token = oidc_session_get_access_token(r, session); - if (access_token != NULL) { + if ((oidc_cfg_dir_pass_access_token(r) != 0) && access_token != NULL) { /* pass it to the app in a header or environment variable */ oidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN, access_token, OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars, pass_hdr_as); @@ -1317,7 +1317,7 @@ static apr_byte_t oidc_session_pass_tokens(request_rec *r, oidc_cfg *cfg, /* set the expiry timestamp in the app headers/variables */ const char *access_token_expires = oidc_session_get_access_token_expires(r, session); - if (access_token_expires != NULL) { + if ((oidc_cfg_dir_pass_access_token(r) != 0) && access_token_expires != NULL) { /* pass it to the app in a header or environment variable */ oidc_util_set_app_info(r, OIDC_APP_INFO_ACCESS_TOKEN_EXP, access_token_expires, diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h index d421e23a..169744ba 100644 --- a/src/mod_auth_openidc.h +++ b/src/mod_auth_openidc.h @@ -782,6 +782,7 @@ apr_byte_t oidc_cfg_dir_pass_info_in_headers(request_rec *r); apr_byte_t oidc_cfg_dir_pass_info_in_envvars(request_rec *r); int oidc_cfg_dir_pass_info_encoding(request_rec *r); apr_byte_t oidc_cfg_dir_pass_refresh_token(request_rec *r); +apr_byte_t oidc_cfg_dir_pass_access_token(request_rec *r); apr_byte_t oidc_cfg_dir_accept_token_in(request_rec *r); char *oidc_cfg_dir_accept_token_in_option(request_rec *r, const char *key); int oidc_cfg_token_introspection_interval(request_rec *r);