Skip to content

Commit

Permalink
add OIDCDPoPMode [off|optional|required] primitive
Browse files Browse the repository at this point in the history
- store the token_type in the session
- pass the token type in a header to the backend

Signed-off-by: Hans Zandbelt <[email protected]>
  • Loading branch information
zandbelt committed Jun 6, 2024
1 parent d9e9990 commit e1eacaa
Show file tree
Hide file tree
Showing 21 changed files with 149 additions and 38 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
06/06/2024
- add OIDCDPoPMode [off|optional|required] primitive
- store the token_type in the session

06/05/2024
- add "nbf" claim in the Request Object as per https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#rfc.section.5.2.2

Expand Down
12 changes: 10 additions & 2 deletions auth_openidc.conf
Original file line number Diff line number Diff line change
Expand Up @@ -304,10 +304,18 @@
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact
#OIDCClientContact <contact>

# The PKCE method used (this serves as default value for discovered OPs too)
# The PKCE method used (this serves as default value for multi-provider OPs too)
# When not defined S256 is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method
#OIDCPKCEMethod [plain|S256|none]
#OIDCPKCEMethod [ S256 | plain | |none ]

# The DPoP mode used (this serves as default value for multi-provider OPs too)
# off: no DPoP token is requested from the OP
# optional: a DPoP token is requested from the OP but we'll continue even if the returned token is Bearer
# required: a DPoP token is requested from the OP and we'll fail if the returned token type is not DPoP
# When not defined "off" is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: dpop_mode
#OIDCDPoPMode [ off | optional | required]

# (used only in dynamic client registration)
# Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be
Expand Down
1 change: 1 addition & 0 deletions src/cfg/cfg.h
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ typedef enum {

#define OIDC_HOOK_INFO_TIMESTAMP "iat"
#define OIDC_HOOK_INFO_ACCES_TOKEN "access_token"
#define OIDC_HOOK_INFO_ACCES_TOKEN_TYPE "access_token_type"
#define OIDC_HOOK_INFO_ACCES_TOKEN_EXP "access_token_expires"
#define OIDC_HOOK_INFO_ID_TOKEN_HINT "id_token_hint"
#define OIDC_HOOK_INFO_ID_TOKEN "id_token"
Expand Down
5 changes: 5 additions & 0 deletions src/cfg/cmds.c
Original file line number Diff line number Diff line change
Expand Up @@ -545,6 +545,11 @@ const command_rec oidc_cfg_cmds[] = {
OIDCPKCEMethod,
pkce,
"The RFC 7636 PCKE mode used; must be one of \"plain\" or \"S256\""),
OIDC_CFG_CMD_PROVIDER(
AP_INIT_TAKE1,
OIDCDPoPMode,
dpop_mode,
"The RFC 9449 DPoP mode used; must be one of \"off\", \"optional\" or \"required\""),
OIDC_CFG_CMD_PROVIDER(
AP_INIT_TAKE1,
OIDCClientID,
Expand Down
23 changes: 23 additions & 0 deletions src/cfg/provider.c
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ struct oidc_provider_t {
char *logout_request_params;
int session_max_duration;
oidc_proto_pkce_t *pkce;
oidc_dpop_mode_t dpop_mode;
int userinfo_refresh_interval;
apr_array_header_t *client_keys;
char *client_jwks_uri;
Expand Down Expand Up @@ -261,6 +262,26 @@ const char *oidc_cfg_provider_pkce_set(apr_pool_t *pool, oidc_provider_t *provid

OIDC_PROVIDER_MEMBER_FUNCS_TYPE_DEF(pkce, const oidc_proto_pkce_t *, OIDC_DEFAULT_PROVIDER_PKCE)

/*
* DPoP
*/
#define OIDC_DPOP_MODE_OFF_STR "off"
#define OIDC_DPOP_MODE_OPTIONAL_STR "optional"
#define OIDC_DPOP_MODE_REQUIRED_STR "required"

static const char *oidc_cfg_provider_parse_dop_method(apr_pool_t *pool, const char *arg, oidc_dpop_mode_t *mode) {
static const oidc_cfg_option_t options[] = {
{OIDC_DPOP_MODE_OFF, OIDC_DPOP_MODE_OFF_STR},
{OIDC_DPOP_MODE_OPTIONAL, OIDC_DPOP_MODE_OPTIONAL_STR},
{OIDC_DPOP_MODE_REQUIRED, OIDC_DPOP_MODE_REQUIRED_STR},
};
return oidc_cfg_parse_option(pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg, (int *)mode);
}

#define OIDC_DEFAULT_DPOP_MODE OIDC_DPOP_MODE_OFF
OIDC_PROVIDER_MEMBER_FUNCS_STR_INT(dpop_mode, oidc_cfg_provider_parse_dop_method, oidc_dpop_mode_t,
OIDC_DEFAULT_DPOP_MODE)

OIDC_PROVIDER_MEMBER_FUNCS_STR(issuer, NULL)
OIDC_PROVIDER_MEMBER_FUNCS_URL(authorization_endpoint_url)
OIDC_PROVIDER_MEMBER_FUNCS_STR(auth_request_params, NULL)
Expand Down Expand Up @@ -619,6 +640,7 @@ static void oidc_cfg_provider_init(oidc_provider_t *provider) {
provider->auth_request_params = NULL;
provider->logout_request_params = NULL;
provider->pkce = NULL;
provider->dpop_mode = OIDC_CONFIG_POS_INT_UNSET;

provider->client_jwks_uri = NULL;
provider->client_keys = NULL;
Expand Down Expand Up @@ -711,6 +733,7 @@ void oidc_cfg_provider_merge(apr_pool_t *pool, oidc_provider_t *dst, const oidc_
dst->logout_request_params =
add->logout_request_params != NULL ? add->logout_request_params : base->logout_request_params;
dst->pkce = add->pkce != NULL ? add->pkce : base->pkce;
dst->dpop_mode = add->dpop_mode != OIDC_CONFIG_POS_INT_UNSET ? add->dpop_mode : base->dpop_mode;

dst->client_jwks_uri = add->client_jwks_uri != NULL ? add->client_jwks_uri : base->client_jwks_uri;
dst->client_keys = add->client_keys != NULL ? add->client_keys : base->client_keys;
Expand Down
9 changes: 9 additions & 0 deletions src/cfg/provider.h
Original file line number Diff line number Diff line change
Expand Up @@ -74,11 +74,18 @@ typedef enum {
OIDC_AUTH_REQUEST_METHOD_PAR = 3,
} oidc_auth_request_method_t;

/* methods to send an access token in a userinfo request */
typedef enum {
OIDC_USER_INFO_TOKEN_METHOD_HEADER = 1,
OIDC_USER_INFO_TOKEN_METHOD_POST = 2,
} oidc_userinfo_token_method_t;

typedef enum {
OIDC_DPOP_MODE_OFF = 1,
OIDC_DPOP_MODE_OPTIONAL = 2,
OIDC_DPOP_MODE_REQUIRED = 3,
} oidc_dpop_mode_t;

typedef struct oidc_jwks_uri_t {
const char *uri;
int refresh_interval;
Expand Down Expand Up @@ -109,6 +116,7 @@ typedef struct oidc_jwks_uri_t {
#define OIDCResponseType "OIDCResponseType"
#define OIDCProviderAuthRequestMethod "OIDCProviderAuthRequestMethod"
#define OIDCPKCEMethod "OIDCPKCEMethod"
#define OIDCDPoPMode "OIDCDPoPMode"
#define OIDCResponseMode "OIDCResponseMode"
#define OIDCClientJwksUri "OIDCClientJwksUri"
#define OIDCIDTokenSignedResponseAlg "OIDCIDTokenSignedResponseAlg"
Expand Down Expand Up @@ -222,6 +230,7 @@ OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_DECL(userinfo_refresh_interval, const char *)
// for metadata.c
OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(userinfo_token_method, oidc_userinfo_token_method_t)
OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(auth_request_method, oidc_auth_request_method_t)
OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(dpop_mode, oidc_dpop_mode_t)

// types
OIDC_CFG_PROVIDER_MEMBER_FUNCS_TYPE_DECL(pkce, const oidc_proto_pkce_t *)
Expand Down
11 changes: 6 additions & 5 deletions src/handle/handle.h
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ int oidc_logout_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *session,

// refresh.c
apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, oidc_provider_t *provider,
char **new_access_token, char **new_id_token);
char **new_access_token, char **new_access_token_type, char **new_id_token);
int oidc_refresh_token_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *session);
apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session,
int ttl_minimum, apr_byte_t *needs_save);
Expand All @@ -117,8 +117,9 @@ int oidc_response_authorization_post(request_rec *r, oidc_cfg_t *c, oidc_session
apr_byte_t oidc_response_save_in_session(request_rec *r, oidc_cfg_t *c, oidc_session_t *session,
oidc_provider_t *provider, const char *remoteUser, const char *id_token,
oidc_jwt_t *id_token_jwt, const char *claims, const char *access_token,
const int expires_in, const char *refresh_token, const char *session_state,
const char *state, const char *original_url, const char *userinfo_jwt);
const char *access_token_type, const int expires_in, const char *refresh_token,
const char *session_state, const char *state, const char *original_url,
const char *userinfo_jwt);

// revoke.c
int oidc_revoke_session(request_rec *r, oidc_cfg_t *c);
Expand All @@ -131,8 +132,8 @@ int oidc_session_management(request_rec *r, oidc_cfg_t *c, oidc_session_t *sessi
void oidc_userinfo_store_claims(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, oidc_provider_t *provider,
const char *claims, const char *userinfo_jwt);
const char *oidc_userinfo_retrieve_claims(request_rec *r, oidc_cfg_t *c, oidc_provider_t *provider,
const char *access_token, oidc_session_t *session, char *id_token_sub,
char **userinfo_jwt);
const char *access_token, const char *access_token_type,
oidc_session_t *session, char *id_token_sub, char **userinfo_jwt);
apr_byte_t oidc_userinfo_refresh_claims(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session,
apr_byte_t *needs_save);

Expand Down
5 changes: 4 additions & 1 deletion src/handle/info.c
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ int oidc_info_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, ap
return HTTP_INTERNAL_SERVER_ERROR;

/* execute the actual refresh grant */
if (oidc_refresh_token_grant(r, c, session, provider, NULL, NULL) == FALSE) {
if (oidc_refresh_token_grant(r, c, session, provider, NULL, NULL, NULL) == FALSE) {
oidc_warn(r, "access_token could not be refreshed");
return HTTP_INTERNAL_SERVER_ERROR;
}
Expand Down Expand Up @@ -145,6 +145,9 @@ int oidc_info_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, ap
const char *access_token = oidc_session_get_access_token(r, session);
if (access_token != NULL)
json_object_set_new(json, OIDC_HOOK_INFO_ACCES_TOKEN, json_string(access_token));
const char *access_token_type = oidc_session_get_access_token_type(r, session);
if (access_token_type != NULL)
json_object_set_new(json, OIDC_HOOK_INFO_ACCES_TOKEN_TYPE, json_string(access_token_type));
}

/* include the access token expiry timestamp in the session info */
Expand Down
2 changes: 1 addition & 1 deletion src/handle/logout.c
Original file line number Diff line number Diff line change
Expand Up @@ -481,7 +481,7 @@ int oidc_logout(request_rec *r, oidc_cfg_t *c, oidc_session_t *session) {
if ((provider != NULL) && (oidc_cfg_provider_end_session_endpoint_get(provider) != NULL)) {

if (apr_table_get(r->subprocess_env, OIDC_REFRESH_TOKENS_BEFORE_LOGOUT_ENVVAR) != NULL) {
oidc_refresh_token_grant(r, c, session, provider, NULL, &id_token_hint);
oidc_refresh_token_grant(r, c, session, provider, NULL, NULL, &id_token_hint);
} else {
id_token_hint = (char *)oidc_session_get_idtoken(r, session);
}
Expand Down
9 changes: 6 additions & 3 deletions src/handle/refresh.c
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ static apr_byte_t oidc_refresh_token_cache_get(request_rec *r, oidc_cfg_t *c, co
* execute refresh token grant to refresh the existing access token
*/
apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg_t *c, oidc_session_t *session, oidc_provider_t *provider,
char **new_access_token, char **new_id_token) {
char **new_access_token, char **new_access_token_type, char **new_id_token) {

apr_byte_t rc = FALSE;
char *s_id_token = NULL;
Expand Down Expand Up @@ -243,6 +243,7 @@ apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg_t *c, oidc_session_

/* store the new access_token in the session and discard the old one */
oidc_session_set_access_token(r, session, s_access_token);
oidc_session_set_access_token_type(r, session, s_token_type);
oidc_session_set_access_token_expires(r, session, expires_in);

/* reset the access token refresh timestamp */
Expand All @@ -251,6 +252,8 @@ apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg_t *c, oidc_session_
/* see if we need to return it as a parameter */
if (new_access_token != NULL)
*new_access_token = s_access_token;
if (new_access_token_type != NULL)
*new_access_token_type = s_token_type;

/* if we have a new refresh token (rolling refresh), store it in the session and overwrite the old one */
if (s_refresh_token != NULL)
Expand Down Expand Up @@ -353,7 +356,7 @@ int oidc_refresh_token_request(request_rec *r, oidc_cfg_t *c, oidc_session_t *se
}

/* execute the actual refresh grant */
if (oidc_refresh_token_grant(r, c, session, provider, NULL, NULL) == FALSE) {
if (oidc_refresh_token_grant(r, c, session, provider, NULL, NULL, NULL) == FALSE) {
oidc_error(r, "access_token could not be refreshed");
error_code = "refresh_failed";
goto end;
Expand Down Expand Up @@ -421,7 +424,7 @@ apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r, oidc_cfg_t *c
if (oidc_get_provider_from_session(r, cfg, session, &provider) == FALSE)
return FALSE;

if (oidc_refresh_token_grant(r, cfg, session, provider, NULL, NULL) == FALSE) {
if (oidc_refresh_token_grant(r, cfg, session, provider, NULL, NULL, NULL) == FALSE) {
oidc_warn(r, "access_token could not be refreshed");
*needs_save = FALSE;
return FALSE;
Expand Down
14 changes: 9 additions & 5 deletions src/handle/response.c
Original file line number Diff line number Diff line change
Expand Up @@ -225,8 +225,9 @@ char *oidc_response_make_sid_iss_unique(request_rec *r, const char *sid, const c
apr_byte_t oidc_response_save_in_session(request_rec *r, oidc_cfg_t *c, oidc_session_t *session,
oidc_provider_t *provider, const char *remoteUser, const char *id_token,
oidc_jwt_t *id_token_jwt, const char *claims, const char *access_token,
const int expires_in, const char *refresh_token, const char *session_state,
const char *state, const char *original_url, const char *userinfo_jwt) {
const char *access_token_type, const int expires_in, const char *refresh_token,
const char *session_state, const char *state, const char *original_url,
const char *userinfo_jwt) {

/* store the user in the session */
session->remote_user = apr_pstrdup(r->pool, remoteUser);
Expand Down Expand Up @@ -278,6 +279,8 @@ apr_byte_t oidc_response_save_in_session(request_rec *r, oidc_cfg_t *c, oidc_ses
if (access_token != NULL) {
/* store the access_token in the session context */
oidc_session_set_access_token(r, session, access_token);
/* store the access_token in the session context */
oidc_session_set_access_token_type(r, session, access_token_type);
/* store the associated expires_in value */
oidc_session_set_access_token_expires(r, session, expires_in);
/* reset the access token refresh timestamp */
Expand Down Expand Up @@ -614,7 +617,8 @@ static int oidc_response_process(request_rec *r, oidc_cfg_t *c, oidc_session_t *
* parsed claims are not actually used here but need to be parsed anyway for error checking purposes
*/
const char *claims = oidc_userinfo_retrieve_claims(
r, c, provider, apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), NULL, jwt->payload.sub, &userinfo_jwt);
r, c, provider, apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN),
apr_table_get(params, OIDC_PROTO_TOKEN_TYPE), NULL, jwt->payload.sub, &userinfo_jwt);

/* restore the original protected URL that the user was trying to access */
const char *original_url = oidc_proto_state_get_original_url(proto_state);
Expand Down Expand Up @@ -644,8 +648,8 @@ static int oidc_response_process(request_rec *r, oidc_cfg_t *c, oidc_session_t *
/* store resolved information in the session */
if (oidc_response_save_in_session(
r, c, session, provider, r->user, apr_table_get(params, OIDC_PROTO_ID_TOKEN), jwt, claims,
apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), expires_in,
apr_table_get(params, OIDC_PROTO_REFRESH_TOKEN),
apr_table_get(params, OIDC_PROTO_ACCESS_TOKEN), apr_table_get(params, OIDC_PROTO_TOKEN_TYPE),
expires_in, apr_table_get(params, OIDC_PROTO_REFRESH_TOKEN),
apr_table_get(params, OIDC_PROTO_SESSION_STATE), apr_table_get(params, OIDC_PROTO_STATE),
original_url, userinfo_jwt) == FALSE) {
oidc_proto_state_destroy(proto_state);
Expand Down
22 changes: 13 additions & 9 deletions src/handle/userinfo.c
Original file line number Diff line number Diff line change
Expand Up @@ -85,11 +85,12 @@ void oidc_userinfo_store_claims(request_rec *r, oidc_cfg_t *c, oidc_session_t *s
* retrieve claims from the userinfo endpoint and return the stringified response
*/
const char *oidc_userinfo_retrieve_claims(request_rec *r, oidc_cfg_t *c, oidc_provider_t *provider,
const char *access_token, oidc_session_t *session, char *id_token_sub,
char **userinfo_jwt) {
const char *access_token, const char *access_token_type,
oidc_session_t *session, char *id_token_sub, char **userinfo_jwt) {

char *result = NULL;
char *refreshed_access_token = NULL;
char *refreshed_access_token_type = NULL;
json_t *id_token_claims = NULL;
long response_code = 0;

Expand Down Expand Up @@ -122,8 +123,8 @@ const char *oidc_userinfo_retrieve_claims(request_rec *r, oidc_cfg_t *c, oidc_pr
// routines)

/* try to get claims from the userinfo endpoint using the provided access token */
if (oidc_proto_userinfo_request(r, c, provider, id_token_sub, access_token, &result, userinfo_jwt,
&response_code) == TRUE)
if (oidc_proto_userinfo_request(r, c, provider, id_token_sub, access_token, access_token_type, &result,
userinfo_jwt, &response_code) == TRUE)
goto end;

/* see if this is the initial call to the user info endpoint upon receiving the authorization response */
Expand All @@ -144,16 +145,17 @@ const char *oidc_userinfo_retrieve_claims(request_rec *r, oidc_cfg_t *c, oidc_pr

/* first call to user info endpoint failed, but this is for an existing session and the access token may have
* just expired, so refresh it */
if (oidc_refresh_token_grant(r, c, session, provider, &refreshed_access_token, NULL) == FALSE) {
if (oidc_refresh_token_grant(r, c, session, provider, &refreshed_access_token, &refreshed_access_token_type,
NULL) == FALSE) {
oidc_error(r, "refreshing access token failed, claims will not be retrieved/refreshed from the "
"userinfo endpoint");
result = NULL;
goto end;
}

/* try again with the new access token */
if (oidc_proto_userinfo_request(r, c, provider, id_token_sub, refreshed_access_token, &result, userinfo_jwt,
NULL) == FALSE) {
if (oidc_proto_userinfo_request(r, c, provider, id_token_sub, refreshed_access_token,
refreshed_access_token_type, &result, userinfo_jwt, NULL) == FALSE) {

oidc_error(r, "resolving user info claims with the refreshed access token failed, nothing will be "
"stored in the session");
Expand Down Expand Up @@ -181,6 +183,7 @@ apr_byte_t oidc_userinfo_refresh_claims(request_rec *r, oidc_cfg_t *cfg, oidc_se
oidc_provider_t *provider = NULL;
const char *claims = NULL;
const char *access_token = NULL;
const char *access_token_type = NULL;
char *userinfo_jwt = NULL;

/* see int we can do anything here, i.e. a refresh interval is configured */
Expand Down Expand Up @@ -212,10 +215,11 @@ apr_byte_t oidc_userinfo_refresh_claims(request_rec *r, oidc_cfg_t *cfg, oidc_se

/* get the current access token */
access_token = oidc_session_get_access_token(r, session);
access_token_type = oidc_session_get_access_token_type(r, session);

/* retrieve the current claims */
claims = oidc_userinfo_retrieve_claims(r, cfg, provider, access_token, session, NULL,
&userinfo_jwt);
claims = oidc_userinfo_retrieve_claims(r, cfg, provider, access_token,
access_token_type, session, NULL, &userinfo_jwt);

/* store claims resolved from userinfo endpoint */
oidc_userinfo_store_claims(r, cfg, session, provider, claims, userinfo_jwt);
Expand Down
14 changes: 13 additions & 1 deletion src/metadata.c
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@
#define OIDC_METADATA_TOKEN_ENDPOINT_PARAMS "token_endpoint_params"
#define OIDC_METADATA_RESPONSE_MODE "response_mode"
#define OIDC_METADATA_PKCE_METHOD "pkce_method"
#define OIDC_METADATA_DPOP_MODE "dpop_mode"
#define OIDC_METADATA_CLIENT_CONTACT "client_contact"
#define OIDC_METADATA_TOKEN_ENDPOINT_AUTH "token_endpoint_auth"
#define OIDC_METADATA_REGISTRATION_TOKEN "registration_token"
Expand Down Expand Up @@ -1338,6 +1339,17 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
: OIDC_PKCE_METHOD_NONE);
OIDC_METADATA_PROVIDER_SET(pkce, value, rv)

/* see if we've got a custom DPoP mode */
oidc_util_json_object_get_string(r->pool, j_conf, OIDC_METADATA_DPOP_MODE, &value, NULL);
if (value) {
rv = oidc_cfg_provider_dpop_mode_set(r->pool, provider, value);
if (rv != NULL)
oidc_error(r, "oidc_cfg_provider_dpop_mode_set: %s", rv);
} else {
oidc_cfg_provider_dpop_mode_int_set(provider,
oidc_cfg_provider_dpop_mode_get(oidc_cfg_provider_get(cfg)));
}

/* get the client name */
oidc_util_json_object_get_string(r->pool, j_conf, OIDC_METADATA_CLIENT_NAME, &value,
oidc_cfg_provider_client_name_get(oidc_cfg_provider_get(cfg)));
Expand Down Expand Up @@ -1402,7 +1414,7 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
if (value) {
rv = oidc_cfg_provider_userinfo_token_method_set(r->pool, provider, value);
if (rv != NULL)
oidc_error(r, "oidc_cfg_provider_userinfo_token_method_get: %s", rv);
oidc_error(r, "oidc_cfg_provider_userinfo_token_method_set: %s", rv);
} else {
oidc_cfg_provider_userinfo_token_method_int_set(
provider, oidc_cfg_provider_userinfo_token_method_get(oidc_cfg_provider_get(cfg)));
Expand Down
Loading

0 comments on commit e1eacaa

Please sign in to comment.