add logout_on_error and authenticate_on_error 2nd parameter options

to OIDCUserInfoRefreshInterval Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Jul 25, 2023 · e7d85e7 · e7d85e7
1 parent ef19cad
commit e7d85e7
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 8 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,7 +2,8 @@
 - support "authenticate_on_error" 2nd parameter value in OIDCRefreshAccessTokenBeforeExpiry 
   to reauthenticate the user when refreshing the access token fails
   see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1084; thanks @xrammit
-- bump 20 2.4.14.3rc4
+- add logout_on_error and authenticate_on_error 2nd parameter option to OIDCUserInfoRefreshInterval
+- bump to 2.4.14.3rc4
 
 07/18/2023
 - allow relative values in OIDCDefaultURL and OIDCDefaultLoggedOutURL

diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -180,7 +180,9 @@
 # to refresh the access token using the refresh token grant, after which a second attempt is made
 # to obtain claims from the userinfo endpoint with the new access token.
 # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval
-#OIDCUserInfoRefreshInterval <seconds>
+# The optional logout_on_error flag will make the user logout the current local session if the userinfo request fails.
+# The optional authenticate_on_error flag sends the user for authentication when the userinfo request fails.
+#OIDCUserInfoRefreshInterval <seconds> [ logout_on_error | authenticate_on_error ]
 
 # The refresh interval in seconds for the JWKs key set obtained from the jwks_uri and signed_jwks_uri.
 # When not defined the default is 3600 seconds.

diff --git a/src/config.c b/src/config.c
@@ -311,6 +311,7 @@ typedef struct oidc_dir_cfg {
 	oidc_apr_expr_t *userinfo_claims_expr;
 	int refresh_access_token_before_expiry;
 	int action_on_error_refresh;
+	int action_on_userinfo_refresh;
 	char *state_cookie_prefix;
 	apr_array_header_t *pass_userinfo_as;
 	int pass_idtoken_as;
@@ -1176,11 +1177,15 @@ static const char* oidc_set_idtoken_iat_slack(cmd_parms *cmd, void *struct_ptr,
  * set the userinfo refresh interval
  */
 static const char* oidc_set_userinfo_refresh_interval(cmd_parms *cmd,
-		void *struct_ptr, const char *arg) {
+		void *struct_ptr, const char *arg1, const char *arg2) {
 	oidc_cfg *cfg = (oidc_cfg*) ap_get_module_config(cmd->server->module_config,
 			&auth_openidc_module);
-	const char *rv = oidc_parse_userinfo_refresh_interval(cmd->pool, arg,
+	const char *rv = oidc_parse_userinfo_refresh_interval(cmd->pool, arg1,
 			&cfg->provider.userinfo_refresh_interval);
+	if ((rv == NULL) && (arg2)) {
+		rv = oidc_parse_action_on_error_refresh_as(cmd->pool, arg2,
+				&cfg->action_on_userinfo_error);
+	}
 	return OIDC_CONFIG_DIR_RV(cmd, rv);
 }
 
@@ -1420,6 +1425,14 @@ int oidc_cfg_dir_action_on_error_refresh(request_rec *r) {
 	return dir_cfg->action_on_error_refresh;
 }
 
+int oidc_cfg_dir_action_on_userinfo_refresh(request_rec *r) {
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+	if (dir_cfg->action_on_error_refresh == OIDC_CONFIG_POS_INT_UNSET)
+		return OIDC_DEFAULT_ON_ERROR_REFRESH;
+	return dir_cfg->action_on_error_refresh;
+}
+
 char* oidc_cfg_dir_state_cookie_prefix(request_rec *r) {
 	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
 			&auth_openidc_module);
@@ -3627,7 +3640,7 @@ const command_rec oidc_config_cmds[] = {
 				NULL,
 				RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
 				"The method in which an OAuth token can be presented; must be one or more of: header|post|query|cookie"),
-		AP_INIT_TAKE1(OIDCUserInfoRefreshInterval,
+		AP_INIT_TAKE12(OIDCUserInfoRefreshInterval,
 				oidc_set_userinfo_refresh_interval,
 				(void*)APR_OFFSETOF(oidc_cfg, provider.userinfo_refresh_interval),
 				RSRC_CONF,

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -1680,8 +1680,21 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
 	*needs_save |= rv;
 
 	/* if needed, refresh claims from the user info endpoint */
-	if (oidc_refresh_claims_from_userinfo_endpoint(r, cfg, session) == TRUE)
-		*needs_save = TRUE;
+	rv = oidc_refresh_claims_from_userinfo_endpoint(r, cfg, session);
+	if (rv == FALSE) {
+		if (cfg->action_on_userinfo_error == OIDC_ON_ERROR_LOGOUT) {
+			*needs_save = FALSE;
+			return oidc_handle_logout_request(r, cfg, session,
+					oidc_get_absolute_url(r, cfg, cfg->default_slo_url));
+		}
+		if (cfg->action_on_userinfo_error == OIDC_ON_ERROR_AUTHENTICATE) {
+			*needs_save = FALSE;
+			oidc_session_kill(r, session);
+			return oidc_handle_unauthenticated_user(r, cfg);
+		}
+	}
+
+	*needs_save |= rv;
 
 	/* set the user authentication HTTP header if set and required */
 	if ((r->user != NULL) && (authn_header != NULL))

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -165,7 +165,7 @@ APLOG_USE_MODULE(auth_openidc);
 #define OIDC_PASS_APP_INFO_AS_BASE64URL 1
 #define OIDC_PASS_APP_INFO_AS_LATIN1    2
 
-/* actions to be taken on access token refresh error */
+/* actions to be taken on access token / userinfo refresh error */
 #define OIDC_ON_ERROR_CONTINUE       0
 #define OIDC_ON_ERROR_LOGOUT         1
 #define OIDC_ON_ERROR_AUTHENTICATE   2
@@ -489,6 +489,7 @@ typedef struct oidc_cfg {
 	char *ca_bundle_path;
 	char *logout_x_frame_options;
 	apr_byte_t x_forwarded_headers;
+	int action_on_userinfo_error;
 } oidc_cfg;
 
 void oidc_pre_config_init();