add OIDCProfile to configure OpenID Connect profile behaviours

i.e. FAPI 2.0

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,8 @@
+01/29/2025
+- add OIDCProfile to configure OpenID Connect profile behaviours for, so far "FAPI20" only, which configures:
+  Authentication Request method, DPoP, PKCE, ID token aud values requirements
+  token endpoint JWT authentication "aud" values, "iss" parameter requirement in authentication reponses
+
 01/24/2025
 - fix OIDCProviderRevocationEndpoint when not setting it to ""; see #1301; thanks @tarteens
 

Makefile.am

@@ -36,6 +36,7 @@ libauth_openidc_la_SOURCES = \
 	src/proto/jwks.c \
 	src/proto/jwt.c \
 	src/proto/pkce.c \
+	src/proto/profile.c \
 	src/proto/proto.c \
 	src/proto/request.c \
 	src/proto/response.c \

auth_openidc.conf

@@ -372,6 +372,19 @@
 # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc
 #OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM]
 
+# The OpenID Connect (client) profile to adhere to, which configures settings for:
+# - Authentication Request method
+# - DPoP
+# - PKCE
+# - ID token aud values
+# - token endpoint JWT authentication "aud" values,
+# - "iss" parameter requirement in authentication reponses
+# FAPI20: configures settings for the FAPI 2.0 Security Profile i.e :
+          Auth Request Method: PAR, DPoP: Required, PCKE: S256, aud: client_id, aud: iss, iss: true
+# OIDC10: adheres to the core OpenID Connect spec v1.0
+# When not default the default is OIDC10
+#OIDCProfile [ OIDC10 | FAPI20 ]
+
 ########################################################################################
 #
 # WARNING:

src/cfg/cmds.c

@@ -594,6 +594,11 @@ const command_rec oidc_cfg_cmds[] = {
 		OIDCProviderAuthRequestMethod,
 		auth_request_method,
 		"HTTP method used to send the authentication request to the provider (GET or POST)."),
+	OIDC_CFG_CMD_PROVIDER(
+		AP_INIT_TAKE1,
+		OIDCProfile,
+		profile,
+		"OpenID Connect Profile."),
 
 	// oauth
 

src/cfg/provider.c

@@ -96,6 +96,7 @@ struct oidc_provider_t {
 	oidc_userinfo_token_method_t userinfo_token_method;
 	char *request_object;
 	oidc_auth_request_method_t auth_request_method;
+	oidc_profile_t profile;
 	int response_require_iss;
 };
 
@@ -669,6 +670,17 @@ const char *oidc_cfg_provider_revocation_endpoint_url_get(oidc_provider_t *provi
 	return provider->revocation_endpoint_url;
 }
 
+#define OIDC_PROFILE_OIDC10_STR "OIDC10"
+#define OIDC_PROFILE_FAPI20_STR "FAPI20"
+
+const char *oidc_cfg_provider_parse_profile(apr_pool_t *pool, const char *arg, oidc_profile_t *profile) {
+	static const oidc_cfg_option_t options[] = {{OIDC_PROFILE_OIDC10, OIDC_PROFILE_OIDC10_STR},
+						    {OIDC_PROFILE_FAPI20, OIDC_PROFILE_FAPI20_STR}};
+	return oidc_cfg_parse_option(pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg, (int *)profile);
+}
+#define OIDC_DEFAULT_PROFILE OIDC_PROFILE_OIDC10
+OIDC_PROVIDER_MEMBER_FUNCS_STR_INT(profile, oidc_cfg_provider_parse_profile, oidc_profile_t, OIDC_DEFAULT_PROFILE)
+
 /*
  * base
  */
@@ -732,6 +744,7 @@ static void oidc_cfg_provider_init(oidc_provider_t *provider) {
 	provider->response_require_iss = OIDC_CONFIG_POS_INT_UNSET;
 
 	provider->id_token_aud_values = NULL;
+	provider->profile = OIDC_CONFIG_POS_INT_UNSET;
 }
 
 void oidc_cfg_provider_merge(apr_pool_t *pool, oidc_provider_t *dst, const oidc_provider_t *base,
@@ -846,6 +859,7 @@ void oidc_cfg_provider_merge(apr_pool_t *pool, oidc_provider_t *dst, const oidc_
 
 	dst->id_token_aud_values =
 	    add->id_token_aud_values != NULL ? add->id_token_aud_values : base->id_token_aud_values;
+	dst->profile = add->profile != OIDC_CONFIG_POS_INT_UNSET ? add->profile : base->profile;
 }
 
 oidc_provider_t *oidc_cfg_provider_create(apr_pool_t *pool) {

src/cfg/provider.h

@@ -93,6 +93,11 @@ typedef struct oidc_jwks_uri_t {
 	apr_array_header_t *jwk_list;
 } oidc_jwks_uri_t;
 
+typedef enum {
+	OIDC_PROFILE_OIDC10 = 1,
+	OIDC_PROFILE_FAPI20 = 2,
+} oidc_profile_t;
+
 // NB: need the primitive strings and the declarations of the custom
 //     set routines here because the commands are included in config.c.
 //     via include "cmds.inc"
@@ -115,6 +120,7 @@ typedef struct oidc_jwks_uri_t {
 #define OIDCProviderVerifyCertFiles "OIDCProviderVerifyCertFiles"
 #define OIDCResponseType "OIDCResponseType"
 #define OIDCProviderAuthRequestMethod "OIDCProviderAuthRequestMethod"
+#define OIDCProfile "OIDCProfile"
 #define OIDCPKCEMethod "OIDCPKCEMethod"
 #define OIDCDPoPMode "OIDCDPoPMode"
 #define OIDCResponseMode "OIDCResponseMode"
@@ -242,6 +248,7 @@ void OIDC_CFG_MEMBER_FUNC_NAME(dpop_mode, cfg_provider, int_set)(oidc_provider_t
 // for metadata.c
 OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(userinfo_token_method, oidc_userinfo_token_method_t)
 OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(auth_request_method, oidc_auth_request_method_t)
+OIDC_CFG_PROVIDER_MEMBER_FUNCS_INT_INT_DECL(profile, oidc_profile_t)
 
 // types
 OIDC_CFG_PROVIDER_MEMBER_FUNCS_TYPE_DECL(pkce, const oidc_proto_pkce_t *)

src/handle/logout.c

@@ -84,7 +84,7 @@ static void oidc_logout_revoke_tokens(request_rec *r, oidc_cfg_t *c, oidc_sessio
 	if (oidc_proto_token_endpoint_auth(
 		r, c, oidc_cfg_provider_token_endpoint_auth_get(provider), oidc_cfg_provider_client_id_get(provider),
 		oidc_cfg_provider_client_secret_get(provider), oidc_cfg_provider_client_keys_get(provider),
-		oidc_cfg_provider_token_endpoint_url_get(provider), params, NULL, &basic_auth, &bearer_auth) == FALSE)
+		oidc_proto_profile_token_endpoint_auth_aud(provider), params, NULL, &basic_auth, &bearer_auth) == FALSE)
 		goto out;
 
 	token = oidc_session_get_refresh_token(r, session);

src/handle/request.c

@@ -201,14 +201,14 @@ int oidc_request_authenticate_user(request_rec *r, oidc_cfg_t *c, oidc_provider_
 
 	if ((oidc_util_spaced_string_contains(r->pool, oidc_cfg_provider_response_type_get(provider),
 					      OIDC_PROTO_CODE) == TRUE) &&
-	    (oidc_cfg_provider_pkce_get(provider) != &oidc_pkce_none)) {
+	    (oidc_proto_profile_pkce_get(provider) != &oidc_pkce_none)) {
 
 		/* generate the code verifier value that correlates authorization requests and code exchange requests */
-		if (oidc_cfg_provider_pkce_get(provider)->state(r, &pkce_state) == FALSE)
+		if (oidc_proto_profile_pkce_get(provider)->state(r, &pkce_state) == FALSE)
 			return HTTP_INTERNAL_SERVER_ERROR;
 
 		/* generate the PKCE code challenge */
-		if (oidc_cfg_provider_pkce_get(provider)->challenge(r, pkce_state, &code_challenge) == FALSE)
+		if (oidc_proto_profile_pkce_get(provider)->challenge(r, pkce_state, &code_challenge) == FALSE)
 			return HTTP_INTERNAL_SERVER_ERROR;
 	}
 

src/metadata.c

@@ -86,6 +86,7 @@
 #define OIDC_METADATA_ID_TOKEN_ENCRYPTED_RESPONSE_ALG "id_token_encrypted_response_alg"
 #define OIDC_METADATA_ID_TOKEN_ENCRYPTED_RESPONSE_ENC "id_token_encrypted_response_enc"
 #define OIDC_METADATA_ID_TOKEN_AUD_VALUES "id_token_aud_values"
+#define OIDC_METADATA_PROFILE "profile"
 #define OIDC_METADATA_USERINFO_SIGNED_RESPONSE_ALG "userinfo_signed_response_alg"
 #define OIDC_METADATA_USERINFO_ENCRYPTED_RESPONSE_ALG "userinfo_encrypted_response_alg"
 #define OIDC_METADATA_USERINFO_ENCRYPTED_RESPONSE_ENC "userinfo_encrypted_response_enc"
@@ -1003,7 +1004,7 @@ static void oidc_metadata_parse_url(request_rec *r, const char *type, const char
 			oidc_error(r, "oidc_cfg_provider_%s_set: %s", TOSTRING(member), rv);                           \
 	}
 
-#define OIDC_METADATA_PROVIDER_SET_INT(member, ivalue, rv)                                                             \
+#define OIDC_METADATA_PROVIDER_SET_INT(provider, member, ivalue, rv)                                                   \
 	if (ivalue != OIDC_CONFIG_POS_INT_UNSET) {                                                                     \
 		rv = oidc_cfg_provider_##member##_set(r->pool, provider, ivalue);                                      \
 		if (rv != NULL)                                                                                        \
@@ -1094,7 +1095,7 @@ apr_byte_t oidc_metadata_provider_parse(request_rec *r, oidc_cfg_t *cfg, json_t
 	// provided
 	oidc_metadata_parse_boolean(r, j_provider, OIDC_METADATA_BACKCHANNEL_LOGOUT_SUPPORTED, &ivalue,
 				    oidc_cfg_provider_backchannel_logout_supported_get(provider));
-	OIDC_METADATA_PROVIDER_SET_INT(backchannel_logout_supported, ivalue, rv)
+	OIDC_METADATA_PROVIDER_SET_INT(provider, backchannel_logout_supported, ivalue, rv)
 
 	if (oidc_cfg_provider_token_endpoint_auth_get(provider) == NULL) {
 		if (oidc_metadata_valid_string_in_array(r->pool, j_provider,
@@ -1230,6 +1231,17 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 	int ivalue = OIDC_CONFIG_POS_INT_UNSET;
 	apr_array_header_t *keys = NULL, *auds = NULL;
 
+	// NB: need this first so the profile - if explicitly configured - will override
+	//     potentially non-conformant / insecure settings
+	oidc_util_json_object_get_string(r->pool, j_conf, OIDC_METADATA_PROFILE, &value, NULL);
+	if (value) {
+		rv = oidc_cfg_provider_profile_set(r->pool, provider, value);
+		if (rv != NULL)
+			oidc_error(r, "oidc_cfg_provider_profile_set: %s", rv);
+	} else {
+		oidc_cfg_provider_profile_int_set(provider, oidc_cfg_provider_profile_get(oidc_cfg_provider_get(cfg)));
+	}
+
 	oidc_util_json_object_get_string(r->pool, j_conf, OIDC_METADATA_CLIENT_JWKS_URI, &value,
 					 oidc_cfg_provider_client_jwks_uri_get(oidc_cfg_provider_get(cfg)));
 	OIDC_METADATA_PROVIDER_SET(client_jwks_uri, value, rv)
@@ -1263,8 +1275,9 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 	    oidc_cfg_provider_id_token_encrypted_response_enc_get(oidc_cfg_provider_get(cfg)));
 	OIDC_METADATA_PROVIDER_SET(id_token_encrypted_response_enc, value, rv)
 
-	oidc_util_json_object_get_string_array(r->pool, j_conf, OIDC_METADATA_ID_TOKEN_AUD_VALUES, &auds,
-					       oidc_cfg_provider_id_token_aud_values_get(oidc_cfg_provider_get(cfg)));
+	oidc_util_json_object_get_string_array(
+	    r->pool, j_conf, OIDC_METADATA_ID_TOKEN_AUD_VALUES, &auds,
+	    oidc_proto_profile_id_token_aud_values_get(r->pool, oidc_cfg_provider_get(cfg)));
 	if (auds != NULL) {
 		rv = oidc_cfg_provider_id_token_aud_values_set_str_list(r->pool, provider, auds);
 		if (rv != NULL)
@@ -1291,11 +1304,11 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 	 * for this provider */
 	oidc_metadata_parse_boolean(r, j_conf, OIDC_METADATA_SSL_VALIDATE_SERVER, &ivalue,
 				    oidc_cfg_provider_ssl_validate_server_get(oidc_cfg_provider_get(cfg)));
-	OIDC_METADATA_PROVIDER_SET_INT(ssl_validate_server, ivalue, rv)
+	OIDC_METADATA_PROVIDER_SET_INT(provider, ssl_validate_server, ivalue, rv)
 
 	oidc_metadata_parse_boolean(r, j_conf, OIDC_METADATA_VALIDATE_ISSUER, &ivalue,
 				    oidc_cfg_provider_validate_issuer_get(oidc_cfg_provider_get(cfg)));
-	OIDC_METADATA_PROVIDER_SET_INT(validate_issuer, ivalue, rv)
+	OIDC_METADATA_PROVIDER_SET_INT(provider, validate_issuer, ivalue, rv)
 
 	/* find out what scopes we should be requesting from this provider */
 	// TODO: use the provider "scopes_supported" to mix-and-match with what we've configured for the client
@@ -1307,17 +1320,17 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 	/* see if we've got a custom JWKs refresh interval */
 	oidc_util_json_object_get_int(j_conf, OIDC_METADATA_JWKS_REFRESH_INTERVAL, &ivalue,
 				      oidc_cfg_provider_jwks_uri_refresh_interval_get(oidc_cfg_provider_get(cfg)));
-	OIDC_METADATA_PROVIDER_SET_INT(jwks_uri_refresh_interval, ivalue, rv)
+	OIDC_METADATA_PROVIDER_SET_INT(provider, jwks_uri_refresh_interval, ivalue, rv)
 
 	/* see if we've got a custom IAT slack interval */
 	oidc_util_json_object_get_int(j_conf, OIDC_METADATA_IDTOKEN_IAT_SLACK, &ivalue,
 				      oidc_cfg_provider_idtoken_iat_slack_get(oidc_cfg_provider_get(cfg)));
-	OIDC_METADATA_PROVIDER_SET_INT(idtoken_iat_slack, ivalue, rv)
+	OIDC_METADATA_PROVIDER_SET_INT(provider, idtoken_iat_slack, ivalue, rv)
 
 	/* see if we've got a custom max session duration */
 	oidc_util_json_object_get_int(j_conf, OIDC_METADATA_SESSION_MAX_DURATION, &ivalue,
 				      oidc_cfg_provider_session_max_duration_get(oidc_cfg_provider_get(cfg)));
-	OIDC_METADATA_PROVIDER_SET_INT(session_max_duration, ivalue, rv)
+	OIDC_METADATA_PROVIDER_SET_INT(provider, session_max_duration, ivalue, rv)
 
 	/* see if we've got custom authentication request parameter values */
 	oidc_util_json_object_get_string(r->pool, j_conf, OIDC_METADATA_AUTH_REQUEST_PARAMS, &value,
@@ -1341,7 +1354,7 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 
 	/* get the PKCE method to use */
 	oidc_util_json_object_get_string(r->pool, j_conf, OIDC_METADATA_PKCE_METHOD, &value,
-					 oidc_cfg_provider_pkce_get(oidc_cfg_provider_get(cfg))->method);
+					 oidc_proto_profile_pkce_get(provider)->method);
 	OIDC_METADATA_PROVIDER_SET(pkce, value, rv)
 
 	/* see if we've got a custom DPoP mode */
@@ -1351,8 +1364,7 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 		if (rv != NULL)
 			oidc_error(r, "oidc_cfg_provider_dpop_mode_set: %s", rv);
 	} else {
-		oidc_cfg_provider_dpop_mode_int_set(provider,
-						    oidc_cfg_provider_dpop_mode_get(oidc_cfg_provider_get(cfg)));
+		oidc_cfg_provider_dpop_mode_int_set(provider, oidc_proto_profile_dpop_mode_get(provider));
 	}
 
 	/* get the client name */
@@ -1392,7 +1404,7 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 	/* see if we've got a custom user info refresh interval */
 	oidc_util_json_object_get_int(j_conf, OIDC_METADATA_USERINFO_REFRESH_INTERVAL, &ivalue,
 				      oidc_cfg_provider_userinfo_refresh_interval_get(oidc_cfg_provider_get(cfg)));
-	OIDC_METADATA_PROVIDER_SET_INT(userinfo_refresh_interval, ivalue, rv)
+	OIDC_METADATA_PROVIDER_SET_INT(provider, userinfo_refresh_interval, ivalue, rv)
 
 	/* TLS client cert auth settings */
 	oidc_util_json_object_get_string(
@@ -1432,14 +1444,14 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg_t *cfg, json_t *j_c
 		if (rv != NULL)
 			oidc_error(r, "oidc_cfg_provider_auth_request_method_set: %s", rv);
 	} else {
-		oidc_cfg_provider_auth_request_method_int_set(
-		    provider, oidc_cfg_provider_auth_request_method_get(oidc_cfg_provider_get(cfg)));
+		oidc_cfg_provider_auth_request_method_int_set(provider,
+							      oidc_proto_profile_auth_request_method_get(provider));
 	}
 
 	/* get the issuer specific redirect URI option */
 	oidc_metadata_parse_boolean(r, j_conf, OIDC_METADATA_RESPONSE_REQUIRE_ISS, &ivalue,
-				    oidc_cfg_provider_response_require_iss_get(oidc_cfg_provider_get(cfg)));
-	OIDC_METADATA_PROVIDER_SET_INT(response_require_iss, ivalue, rv)
+				    oidc_proto_profile_response_require_iss_get(provider));
+	OIDC_METADATA_PROVIDER_SET_INT(provider, response_require_iss, ivalue, rv)
 
 	return TRUE;
 }

src/mod_auth_openidc.c

@@ -1470,7 +1470,7 @@ static int oidc_check_config_openid_openidc(server_rec *s, oidc_cfg_t *c) {
 		}
 	}
 
-	if (oidc_cfg_provider_dpop_mode_get(oidc_cfg_provider_get(c)) != OIDC_DPOP_MODE_OFF) {
+	if (oidc_proto_profile_dpop_mode_get(oidc_cfg_provider_get(c)) != OIDC_DPOP_MODE_OFF) {
 		if (oidc_util_key_list_first(oidc_cfg_private_keys_get(c), -1, OIDC_JOSE_JWK_SIG_STR) == NULL) {
 			oidc_serror(s, "'" OIDCDPoPMode "' is configured but the required signing keys have not been "
 				       "provided in '" OIDCPrivateKeyFiles "'/'" OIDCPublicKeyFiles "'");