add OIDCDPoPMode [off|optional|required] primitive

- store the token_type in the session
- pass the token type in a header to the backend

Signed-off-by: Hans Zandbelt <[email protected]>

ChangeLog

@@ -1,3 +1,7 @@
+06/06/2024
+- add OIDCDPoPMode [off|optional|required] primitive
+- store the token_type in the session
+
 06/05/2024
 - add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2
 

auth_openidc.conf

@@ -304,10 +304,18 @@
 # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact
 #OIDCClientContact <contact>
 
-# The PKCE method used (this serves as default value for discovered OPs too)
+# The PKCE method used (this serves as default value for multi-provider OPs too)
 # When not defined S256 is used.
 # NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method
-#OIDCPKCEMethod [plain|S256|none]
+#OIDCPKCEMethod [ S256 | plain | |none ]
+
+# The DPoP mode used (this serves as default value for  multi-provider OPs too)
+#  off: no DPoP token is requested from the OP
+#  optional: a DPoP token is requested from the OP but we'll continue even if the returned token is Bearer
+#  required: a DPoP token is requested from the OP and we'll fail if the returned token type is not DPoP
+# When not defined "off" is used.
+# NB: this can be overridden on a per-OP basis in the .conf file using the key: dpop_mode
+#OIDCDPoPMode [ off | optional | required]
 
 # (used only in dynamic client registration)
 # Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be

src/cfg/cfg.h

@@ -117,6 +117,7 @@ typedef enum {
 
 #define OIDC_HOOK_INFO_TIMESTAMP "iat"
 #define OIDC_HOOK_INFO_ACCES_TOKEN "access_token"
+#define OIDC_HOOK_INFO_ACCES_TOKEN_TYPE "access_token_type"
 #define OIDC_HOOK_INFO_ACCES_TOKEN_EXP "access_token_expires"
 #define OIDC_HOOK_INFO_ID_TOKEN_HINT "id_token_hint"
 #define OIDC_HOOK_INFO_ID_TOKEN "id_token"

src/cfg/cmds.c

@@ -545,6 +545,11 @@ const command_rec oidc_cfg_cmds[] = {
 		OIDCPKCEMethod,
 		pkce,
 		"The RFC 7636 PCKE mode used; must be one of \"plain\" or \"S256\""),
+	OIDC_CFG_CMD_PROVIDER(
+		AP_INIT_TAKE1,
+		OIDCDPoPMode,
+		dpop_mode,
+		"The RFC 9449 DPoP mode used; must be one of \"off\", \"optional\" or \"required\""),
 	OIDC_CFG_CMD_PROVIDER(
 		AP_INIT_TAKE1,
 		OIDCClientID,

src/cfg/provider.c

@@ -82,6 +82,7 @@ struct oidc_provider_t {
 	char *logout_request_params;
 	int session_max_duration;
 	oidc_proto_pkce_t *pkce;
+	oidc_dpop_mode_t dpop_mode;
 	int userinfo_refresh_interval;
 	apr_array_header_t *client_keys;
 	char *client_jwks_uri;
@@ -261,6 +262,26 @@ const char *oidc_cfg_provider_pkce_set(apr_pool_t *pool, oidc_provider_t *provid
 
 OIDC_PROVIDER_MEMBER_FUNCS_TYPE_DEF(pkce, const oidc_proto_pkce_t *, OIDC_DEFAULT_PROVIDER_PKCE)
 
+/*
+ * DPoP
+ */
+#define OIDC_DPOP_MODE_OFF_STR "off"
+#define OIDC_DPOP_MODE_OPTIONAL_STR "optional"
+#define OIDC_DPOP_MODE_REQUIRED_STR "required"
+
+static const char *oidc_cfg_provider_parse_dop_method(apr_pool_t *pool, const char *arg, oidc_dpop_mode_t *mode) {
+	static const oidc_cfg_option_t options[] = {
+	    {OIDC_DPOP_MODE_OFF, OIDC_DPOP_MODE_OFF_STR},
+	    {OIDC_DPOP_MODE_OPTIONAL, OIDC_DPOP_MODE_OPTIONAL_STR},
+	    {OIDC_DPOP_MODE_REQUIRED, OIDC_DPOP_MODE_REQUIRED_STR},
+	};
+	return oidc_cfg_parse_option(pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg, (int *)mode);
+}
+
+#define OIDC_DEFAULT_DPOP_MODE OIDC_DPOP_MODE_OFF
+OIDC_PROVIDER_MEMBER_FUNCS_STR_INT(dpop_mode, oidc_cfg_provider_parse_dop_method, oidc_dpop_mode_t,
+				   OIDC_DEFAULT_DPOP_MODE)
+
 OIDC_PROVIDER_MEMBER_FUNCS_STR(issuer, NULL)
 OIDC_PROVIDER_MEMBER_FUNCS_URL(authorization_endpoint_url)
 OIDC_PROVIDER_MEMBER_FUNCS_STR(auth_request_params, NULL)
@@ -619,6 +640,7 @@ static void oidc_cfg_provider_init(oidc_provider_t *provider) {
 	provider->auth_request_params = NULL;
 	provider->logout_request_params = NULL;
 	provider->pkce = NULL;
+	provider->dpop_mode = OIDC_CONFIG_POS_INT_UNSET;
 
 	provider->client_jwks_uri = NULL;
 	provider->client_keys = NULL;
@@ -711,6 +733,7 @@ void oidc_cfg_provider_merge(apr_pool_t *pool, oidc_provider_t *dst, const oidc_
 	dst->logout_request_params =
 	    add->logout_request_params != NULL ? add->logout_request_params : base->logout_request_params;
 	dst->pkce = add->pkce != NULL ? add->pkce : base->pkce;
+	dst->dpop_mode = add->dpop_mode != OIDC_CONFIG_POS_INT_UNSET ? add->dpop_mode : base->dpop_mode;
 
 	dst->client_jwks_uri = add->client_jwks_uri != NULL ? add->client_jwks_uri : base->client_jwks_uri;
 	dst->client_keys = add->client_keys != NULL ? add->client_keys : base->client_keys;

src/cfg/provider.h

@@ -74,11 +74,18 @@ typedef enum {
 	OIDC_AUTH_REQUEST_METHOD_PAR = 3,
 } oidc_auth_request_method_t;
 
+/* methods to send an access token in a userinfo request */
 typedef enum {
 	OIDC_USER_INFO_TOKEN_METHOD_HEADER = 1,
 	OIDC_USER_INFO_TOKEN_METHOD_POST = 2,
 } oidc_userinfo_token_method_t;
 
+typedef enum {
+	OIDC_DPOP_MODE_OFF = 1,
+	OIDC_DPOP_MODE_OPTIONAL = 2,
+	OIDC_DPOP_MODE_REQUIRED = 3,
+} oidc_dpop_mode_t;
+
 typedef struct oidc_jwks_uri_t {
 	const char *uri;
 	int refresh_interval;
@@ -109,6 +116,7 @@ typedef struct oidc_jwks_uri_t {
 #define OIDCResponseType "OIDCResponseType"
 #define OIDCProviderAuthRequestMethod "OIDCProviderAuthRequestMethod"
 #define OIDCPKCEMethod "OIDCPKCEMethod"
+#define OIDCDPoPMode "OIDCDPoPMode"
 #define OIDCResponseMode "OIDCResponseMode"
 #define OIDCClientJwksUri "OIDCClientJwksUri"
 #define OIDCIDTokenSignedResponseAlg "OIDCIDTokenSignedResponseAlg"
@@ -222,6 +230,7 @@ OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_DECL(userinfo_refresh_interval, const char *)
 // for metadata.c
 OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(userinfo_token_method, oidc_userinfo_token_method_t)
 OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(auth_request_method, oidc_auth_request_method_t)
+OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(dpop_mode, oidc_dpop_mode_t)
 
 // types
 OIDC_CFG_PROVIDER_MEMBER_FUNCS_TYPE_DECL(pkce, const oidc_proto_pkce_t *)

src/handle/handle.h

@@ -95,7 +95,7 @@ int oidc_logout_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *session,
 
 // refresh.c
 apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, oidc_provider_t *provider,
-				    char **new_access_token, char **new_id_token);
+				    char **new_access_token, char **new_access_token_type, char **new_id_token);
 int oidc_refresh_token_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *session);
 apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session,
 						   int ttl_minimum, apr_byte_t *needs_save);
@@ -117,8 +117,9 @@ int oidc_response_authorization_post(request_rec *r, oidc_cfg_t *c, oidc_session
 apr_byte_t oidc_response_save_in_session(request_rec *r, oidc_cfg_t *c, oidc_session_t *session,
 					 oidc_provider_t *provider, const char *remoteUser, const char *id_token,
 					 oidc_jwt_t *id_token_jwt, const char *claims, const char *access_token,
-					 const int expires_in, const char *refresh_token, const char *session_state,
-					 const char *state, const char *original_url, const char *userinfo_jwt);
+					 const char *access_token_type, const int expires_in, const char *refresh_token,
+					 const char *session_state, const char *state, const char *original_url,
+					 const char *userinfo_jwt);
 
 // revoke.c
 int oidc_revoke_session(request_rec *r, oidc_cfg_t *c);
@@ -131,8 +132,8 @@ int oidc_session_management(request_rec *r, oidc_cfg_t *c, oidc_session_t *sessi
 void oidc_userinfo_store_claims(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, oidc_provider_t *provider,
 				const char *claims, const char *userinfo_jwt);
 const char *oidc_userinfo_retrieve_claims(request_rec *r, oidc_cfg_t *c, oidc_provider_t *provider,
-					  const char *access_token, oidc_session_t *session, char *id_token_sub,
-					  char **userinfo_jwt);
+					  const char *access_token, const char *access_token_type,
+					  oidc_session_t *session, char *id_token_sub, char **userinfo_jwt);
 apr_byte_t oidc_userinfo_refresh_claims(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session,
 					apr_byte_t *needs_save);
 

src/handle/info.c

@@ -111,7 +111,7 @@ int oidc_info_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, ap
 					return HTTP_INTERNAL_SERVER_ERROR;
 
 				/* execute the actual refresh grant */
-				if (oidc_refresh_token_grant(r, c, session, provider, NULL, NULL) == FALSE) {
+				if (oidc_refresh_token_grant(r, c, session, provider, NULL, NULL, NULL) == FALSE) {
 					oidc_warn(r, "access_token could not be refreshed");
 					return HTTP_INTERNAL_SERVER_ERROR;
 				}
@@ -145,6 +145,9 @@ int oidc_info_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, ap
 		const char *access_token = oidc_session_get_access_token(r, session);
 		if (access_token != NULL)
 			json_object_set_new(json, OIDC_HOOK_INFO_ACCES_TOKEN, json_string(access_token));
+		const char *access_token_type = oidc_session_get_access_token_type(r, session);
+		if (access_token_type != NULL)
+			json_object_set_new(json, OIDC_HOOK_INFO_ACCES_TOKEN_TYPE, json_string(access_token_type));
 	}
 
 	/* include the access token expiry timestamp in the session info */

src/handle/logout.c

@@ -481,7 +481,7 @@ int oidc_logout(request_rec *r, oidc_cfg_t *c, oidc_session_t *session) {
 	if ((provider != NULL) && (oidc_cfg_provider_end_session_endpoint_get(provider) != NULL)) {
 
 		if (apr_table_get(r->subprocess_env, OIDC_REFRESH_TOKENS_BEFORE_LOGOUT_ENVVAR) != NULL) {
-			oidc_refresh_token_grant(r, c, session, provider, NULL, &id_token_hint);
+			oidc_refresh_token_grant(r, c, session, provider, NULL, NULL, &id_token_hint);
 		} else {
 			id_token_hint = (char *)oidc_session_get_idtoken(r, session);
 		}

src/handle/refresh.c

@@ -194,7 +194,7 @@ static apr_byte_t oidc_refresh_token_cache_get(request_rec *r, oidc_cfg_t *c, co
  * execute refresh token grant to refresh the existing access token
  */
 apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, oidc_provider_t *provider,
-				    char **new_access_token, char **new_id_token) {
+				    char **new_access_token, char **new_access_token_type, char **new_id_token) {
 
 	apr_byte_t rc = FALSE;
 	char *s_id_token = NULL;
@@ -243,6 +243,7 @@ apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg_t *c, oidc_session_
 
 	/* store the new access_token in the session and discard the old one */
 	oidc_session_set_access_token(r, session, s_access_token);
+	oidc_session_set_access_token_type(r, session, s_token_type);
 	oidc_session_set_access_token_expires(r, session, expires_in);
 
 	/* reset the access token refresh timestamp */
@@ -251,6 +252,8 @@ apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg_t *c, oidc_session_
 	/* see if we need to return it as a parameter */
 	if (new_access_token != NULL)
 		*new_access_token = s_access_token;
+	if (new_access_token_type != NULL)
+		*new_access_token_type = s_token_type;
 
 	/* if we have a new refresh token (rolling refresh), store it in the session and overwrite the old one */
 	if (s_refresh_token != NULL)
@@ -353,7 +356,7 @@ int oidc_refresh_token_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *se
 	}
 
 	/* execute the actual refresh grant */
-	if (oidc_refresh_token_grant(r, c, session, provider, NULL, NULL) == FALSE) {
+	if (oidc_refresh_token_grant(r, c, session, provider, NULL, NULL, NULL) == FALSE) {
 		oidc_error(r, "access_token could not be refreshed");
 		error_code = "refresh_failed";
 		goto end;
@@ -421,7 +424,7 @@ apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r, oidc_cfg_t *c
 	if (oidc_get_provider_from_session(r, cfg, session, &provider) == FALSE)
 		return FALSE;
 
-	if (oidc_refresh_token_grant(r, cfg, session, provider, NULL, NULL) == FALSE) {
+	if (oidc_refresh_token_grant(r, cfg, session, provider, NULL, NULL, NULL) == FALSE) {
 		oidc_warn(r, "access_token could not be refreshed");
 		*needs_save = FALSE;
 		return FALSE;

src/handle/response.c

@@ -225,8 +225,9 @@ char *oidc_response_make_sid_iss_unique(request_rec *r, const char *sid, const c
 apr_byte_t oidc_response_save_in_session(request_rec *r, oidc_cfg_t *c, oidc_session_t *session,
 					 oidc_provider_t *provider, const char *remoteUser, const char *id_token,
 					 oidc_jwt_t *id_token_jwt, const char *claims, const char *access_token,
-					 const int expires_in, const char *refresh_token, const char *session_state,
-					 const char *state, const char *original_url, const char *userinfo_jwt) {
+					 const char *access_token_type, const int expires_in, const char *refresh_token,
+					 const char *session_state, const char *state, const char *original_url,
+					 const char *userinfo_jwt) {
 
 	/* store the user in the session */
 	session->remote_user = apr_pstrdup(r->pool, remoteUser);
@@ -278,6 +279,8 @@ apr_byte_t oidc_response_save_in_session(request_rec *r, oidc_cfg_t *c, oidc_ses
 	if (access_token != NULL) {
 		/* store the access_token in the session context */
 		oidc_session_set_access_token(r, session, access_token);
+		/* store the access_token in the session context */
+		oidc_session_set_access_token_type(r, session, access_token_type);
 		/* store the associated expires_in value */
 		oidc_session_set_access_token_expires(r, session, expires_in);
 		/* reset the access token refresh timestamp */
@@ -614,7 +617,8 @@ static int oidc_response_process(request_rec *r, oidc_cfg_t *c, oidc_session_t *
 	 * parsed claims are not actually used here but need to be parsed anyway for error checking purposes
 	 */
 	const char *claims = oidc_userinfo_retrieve_claims(
-	    r, c, provider, apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), NULL, jwt->payload.sub, &userinfo_jwt);
+	    r, c, provider, apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN),
+	    apr_table_get(params, OIDC_PROTO_TOKEN_TYPE), NULL, jwt->payload.sub, &userinfo_jwt);
 
 	/* restore the original protected URL that the user was trying to access */
 	const char *original_url = oidc_proto_state_get_original_url(proto_state);
@@ -644,8 +648,8 @@ static int oidc_response_process(request_rec *r, oidc_cfg_t *c, oidc_session_t *
 		/* store resolved information in the session */
 		if (oidc_response_save_in_session(
 			r, c, session, provider, r->user, apr_table_get(params, OIDC_PROTO_ID_TOKEN), jwt, claims,
-			apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), expires_in,
-			apr_table_get(params, OIDC_PROTO_REFRESH_TOKEN),
+			apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), apr_table_get(params, OIDC_PROTO_TOKEN_TYPE),
+			expires_in, apr_table_get(params, OIDC_PROTO_REFRESH_TOKEN),
 			apr_table_get(params, OIDC_PROTO_SESSION_STATE), apr_table_get(params, OIDC_PROTO_STATE),
 			original_url, userinfo_jwt) == FALSE) {
 			oidc_proto_state_destroy(proto_state);

src/handle/userinfo.c

@@ -85,11 +85,12 @@ void oidc_userinfo_store_claims(request_rec *r, oidc_cfg_t *c, oidc_session_t *s
  * retrieve claims from the userinfo endpoint and return the stringified response
  */
 const char *oidc_userinfo_retrieve_claims(request_rec *r, oidc_cfg_t *c, oidc_provider_t *provider,
-					  const char *access_token, oidc_session_t *session, char *id_token_sub,
-					  char **userinfo_jwt) {
+					  const char *access_token, const char *access_token_type,
+					  oidc_session_t *session, char *id_token_sub, char **userinfo_jwt) {
 
 	char *result = NULL;
 	char *refreshed_access_token = NULL;
+	char *refreshed_access_token_type = NULL;
 	json_t *id_token_claims = NULL;
 	long response_code = 0;
 
@@ -122,8 +123,8 @@ const char *oidc_userinfo_retrieve_claims(request_rec *r, oidc_cfg_t *c, oidc_pr
 	// routines)
 
 	/* try to get claims from the userinfo endpoint using the provided access token */
-	if (oidc_proto_userinfo_request(r, c, provider, id_token_sub, access_token, &result, userinfo_jwt,
-					&response_code) == TRUE)
+	if (oidc_proto_userinfo_request(r, c, provider, id_token_sub, access_token, access_token_type, &result,
+					userinfo_jwt, &response_code) == TRUE)
 		goto end;
 
 	/* see if this is the initial call to the user info endpoint upon receiving the authorization response */
@@ -144,16 +145,17 @@ const char *oidc_userinfo_retrieve_claims(request_rec *r, oidc_cfg_t *c, oidc_pr
 
 	/* first call to user info endpoint failed, but this is for an existing session and the access token may have
 	 * just expired, so refresh it */
-	if (oidc_refresh_token_grant(r, c, session, provider, &refreshed_access_token, NULL) == FALSE) {
+	if (oidc_refresh_token_grant(r, c, session, provider, &refreshed_access_token, &refreshed_access_token_type,
+				     NULL) == FALSE) {
 		oidc_error(r, "refreshing access token failed, claims will not be retrieved/refreshed from the "
 			      "userinfo endpoint");
 		result = NULL;
 		goto end;
 	}
 
 	/* try again with the new access token */
-	if (oidc_proto_userinfo_request(r, c, provider, id_token_sub, refreshed_access_token, &result, userinfo_jwt,
-					NULL) == FALSE) {
+	if (oidc_proto_userinfo_request(r, c, provider, id_token_sub, refreshed_access_token,
+					refreshed_access_token_type, &result, userinfo_jwt, NULL) == FALSE) {
 
 		oidc_error(r, "resolving user info claims with the refreshed access token failed, nothing will be "
 			      "stored in the session");
@@ -181,6 +183,7 @@ apr_byte_t oidc_userinfo_refresh_claims(request_rec *r, oidc_cfg_t *cfg, oidc_se
 	oidc_provider_t *provider = NULL;
 	const char *claims = NULL;
 	const char *access_token = NULL;
+	const char *access_token_type = NULL;
 	char *userinfo_jwt = NULL;
 
 	/* see int we can do anything here, i.e. a refresh interval is configured */
@@ -212,10 +215,11 @@ apr_byte_t oidc_userinfo_refresh_claims(request_rec *r, oidc_cfg_t *cfg, oidc_se
 
 				/* get the current access token */
 				access_token = oidc_session_get_access_token(r, session);
+				access_token_type = oidc_session_get_access_token_type(r, session);
 
 				/* retrieve the current claims */
-				claims = oidc_userinfo_retrieve_claims(r, cfg, provider, access_token, session, NULL,
-								       &userinfo_jwt);
+				claims = oidc_userinfo_retrieve_claims(r, cfg, provider, access_token,
+								       access_token_type, session, NULL, &userinfo_jwt);
 
 				/* store claims resolved from userinfo endpoint */
 				oidc_userinfo_store_claims(r, cfg, session, provider, claims, userinfo_jwt);

src/metadata.c

@@ -110,6 +110,7 @@
 #define OIDC_METADATA_TOKEN_ENDPOINT_PARAMS "token_endpoint_params"
 #define OIDC_METADATA_RESPONSE_MODE "response_mode"
 #define OIDC_METADATA_PKCE_METHOD "pkce_method"
+#define OIDC_METADATA_DPOP_MODE "dpop_mode"
 #define OIDC_METADATA_CLIENT_CONTACT "client_contact"
 #define OIDC_METADATA_TOKEN_ENDPOINT_AUTH "token_endpoint_auth"
 #define OIDC_METADATA_REGISTRATION_TOKEN "registration_token"
@@ -1338,6 +1339,17 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 					     : OIDC_PKCE_METHOD_NONE);
 	OIDC_METADATA_PROVIDER_SET(pkce, value, rv)
 
+	/* see if we've got a custom DPoP mode */
+	oidc_util_json_object_get_string(r->pool, j_conf, OIDC_METADATA_DPOP_MODE, &value, NULL);
+	if (value) {
+		rv = oidc_cfg_provider_dpop_mode_set(r->pool, provider, value);
+		if (rv != NULL)
+			oidc_error(r, "oidc_cfg_provider_dpop_mode_set: %s", rv);
+	} else {
+		oidc_cfg_provider_dpop_mode_int_set(provider,
+						    oidc_cfg_provider_dpop_mode_get(oidc_cfg_provider_get(cfg)));
+	}
+
 	/* get the client name */
 	oidc_util_json_object_get_string(r->pool, j_conf, OIDC_METADATA_CLIENT_NAME, &value,
 					 oidc_cfg_provider_client_name_get(oidc_cfg_provider_get(cfg)));
@@ -1402,7 +1414,7 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 	if (value) {
 		rv = oidc_cfg_provider_userinfo_token_method_set(r->pool, provider, value);
 		if (rv != NULL)
-			oidc_error(r, "oidc_cfg_provider_userinfo_token_method_get: %s", rv);
+			oidc_error(r, "oidc_cfg_provider_userinfo_token_method_set: %s", rv);
 	} else {
 		oidc_cfg_provider_userinfo_token_method_int_set(
 		    provider, oidc_cfg_provider_userinfo_token_method_get(oidc_cfg_provider_get(cfg)));