support passing browser cookies to OP/AS backchannel calls

Author: Hans Zandbelt

ChangeLog

@@ -1,3 +1,6 @@
+12/12/2014
+- support passing cookies specified in OIDCPassCookies from browser on to OP/AS calls (for loadbalancing purposes)
+
 12/10/2014
 - reconnect to the Redis server after I/O failure as raised in #43
 - bump to 1.7.1rc4

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[1.7.1rc4],[[email protected]])
+AC_INIT([mod_auth_openidc],[1.7.1rc5],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/config.c

@@ -542,6 +542,16 @@ static const char * oidc_set_pass_idtoken_as(cmd_parms *cmd, void *dummy,
 	return NULL;
 }
 
+/*
+ * specify cookies to pass on to the OP/AS
+ */
+static const char * oidc_set_pass_cookies(cmd_parms *cmd, void *m,
+		const char *arg) {
+	oidc_dir_cfg *dir_cfg = (oidc_dir_cfg *) m;
+	*(const char**) apr_array_push(dir_cfg->pass_cookies) = arg;
+	return NULL;
+}
+
 /*
  * create a new server config record with defaults
  */
@@ -902,6 +912,7 @@ void *oidc_create_dir_config(apr_pool_t *pool, char *path) {
 	c->cookie_path = OIDC_DEFAULT_COOKIE_PATH;
 	c->authn_header = OIDC_DEFAULT_AUTHN_HEADER;
 	c->return401 = FALSE;
+	c->pass_cookies = apr_array_make(pool, 0, sizeof(const char *));
 	return (c);
 }
 
@@ -921,9 +932,10 @@ void *oidc_merge_dir_config(apr_pool_t *pool, void *BASE, void *ADD) {
 	c->authn_header = (
 			add->authn_header != OIDC_DEFAULT_AUTHN_HEADER ?
 					add->authn_header : base->authn_header);
-	c->return401 = (
-			add->return401 != FALSE ?
-					add->return401 : base->return401);
+	c->return401 = (add->return401 != FALSE ? add->return401 : base->return401);
+	c->pass_cookies = (
+			apr_is_empty_array(add->pass_cookies) != 0 ?
+					add->pass_cookies : base->pass_cookies);
 	return (c);
 }
 
@@ -1594,6 +1606,11 @@ const command_rec oidc_config_cmds[] = {
 				(void*)APR_OFFSETOF(oidc_cfg, cache_redis_server),
 				RSRC_CONF,
 				"Redis server used for caching (<hostname>[:<port>])"),
+		AP_INIT_ITERATE("OIDCPassCookies",
+				oidc_set_pass_cookies,
+				(void *) APR_OFFSETOF(oidc_dir_cfg, pass_cookies),
+				RSRC_CONF|ACCESS_CONF|OR_AUTHCFG,
+				"Specify cookies that need to be passed from the browser on to the backend to the OP/AS."),
 
 		{ NULL }
 };

src/metadata.c

@@ -561,6 +561,10 @@ static apr_byte_t oidc_metadata_file_write(request_rec *r, const char *path,
 static apr_byte_t oidc_metadata_client_register(request_rec *r, oidc_cfg *cfg,
 		oidc_provider_t *provider, json_t **j_client, const char **response) {
 
+	/* get a handle to the directory config */
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+
 	/* assemble the JSON registration request */
 	json_t *data = json_object();
 	json_object_set_new(data, "client_name",
@@ -655,7 +659,8 @@ static apr_byte_t oidc_metadata_client_register(request_rec *r, oidc_cfg *cfg,
 	/* dynamically register the client with the specified parameters */
 	if (oidc_util_http_post_json(r, provider->registration_endpoint_url, data,
 			NULL, provider->registration_token, provider->ssl_validate_server, response,
-			cfg->http_timeout_short, cfg->outgoing_proxy) == FALSE) {
+			cfg->http_timeout_short, cfg->outgoing_proxy,
+			dir_cfg->pass_cookies) == FALSE) {
 		json_decref(data);
 		return FALSE;
 	}
@@ -673,10 +678,14 @@ static apr_byte_t oidc_metadata_jwks_retrieve_and_cache(request_rec *r,
 
 	const char *response = NULL;
 
+	/* get a handle to the directory config */
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+
 	/* no valid provider metadata, get it at the specified URL with the specified parameters */
 	if (oidc_util_http_get(r, provider->jwks_uri, NULL, NULL,
 			NULL, provider->ssl_validate_server, &response, cfg->http_timeout_long,
-			cfg->outgoing_proxy) == FALSE)
+			cfg->outgoing_proxy, dir_cfg->pass_cookies) == FALSE)
 		return FALSE;
 
 	/* decode and see if it is not an error response somehow */
@@ -738,10 +747,15 @@ apr_byte_t oidc_metadata_provider_retrieve(request_rec *r, oidc_cfg *cfg,
 		const char *issuer, const char *url, json_t **j_metadata,
 		const char **response) {
 
+	/* get a handle to the directory config */
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+
 	/* get provider metadata from the specified URL with the specified parameters */
 	if (oidc_util_http_get(r, url, NULL, NULL, NULL,
 			cfg->provider.ssl_validate_server, response,
-			cfg->http_timeout_short, cfg->outgoing_proxy) == FALSE)
+			cfg->http_timeout_short, cfg->outgoing_proxy,
+			dir_cfg->pass_cookies) == FALSE)
 		return FALSE;
 
 	/* decode and see if it is not an error response somehow */

src/mod_auth_openidc.c

@@ -677,7 +677,7 @@ static int oidc_handle_existing_session(request_rec *r,
 
 	oidc_debug(r, "enter");
 
-	/* get a handle to the director config */
+	/* get a handle to the directory config */
 	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
 			&auth_openidc_module);
 

src/mod_auth_openidc.h

@@ -287,6 +287,7 @@ typedef struct oidc_dir_cfg {
 	char *cookie;
 	char *authn_header;
 	int return401;
+	apr_array_header_t *pass_cookies;
 } oidc_dir_cfg;
 
 int oidc_check_user_id(request_rec *r);
@@ -359,9 +360,9 @@ char *oidc_normalize_header_name(const request_rec *r, const char *str);
 
 void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue, apr_time_t expires);
 char *oidc_util_get_cookie(request_rec *r, const char *cookieName);
-apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy);
-apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy);
-apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url, const json_t *data, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy);
+apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies);
+apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies);
+apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url, const json_t *data, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies);
 apr_byte_t oidc_util_request_matches_url(request_rec *r, const char *url);
 apr_byte_t oidc_util_request_has_parameter(request_rec *r, const char* param);
 apr_byte_t oidc_util_get_request_parameter(request_rec *r, char *name, char **value);

src/oauth.c

@@ -65,11 +65,16 @@ extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
 static int oidc_oauth_validate_access_token(request_rec *r, oidc_cfg *c,
 		const char *token, const char **response) {
 
+	/* get a handle to the directory config */
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+
 	/* assemble parameters to call the token endpoint for validation */
 	apr_table_t *params = apr_table_make(r->pool, 4);
 
 	/* add any configured extra static parameters to the introspection endpoint */
-	oidc_util_table_add_query_encoded_params(r->pool, params, c->oauth.introspection_endpoint_params);
+	oidc_util_table_add_query_encoded_params(r->pool, params,
+			c->oauth.introspection_endpoint_params);
 
 	/* add the access_token itself */
 	apr_table_addn(params, "token", token);
@@ -87,9 +92,9 @@ static int oidc_oauth_validate_access_token(request_rec *r, oidc_cfg *c,
 	}
 
 	/* call the endpoint with the constructed parameter set and return the resulting response */
-	return oidc_util_http_post_form(r, c->oauth.introspection_endpoint_url, params,
-			basic_auth, NULL, c->oauth.ssl_validate_server, response,
-			c->http_timeout_long, c->outgoing_proxy);
+	return oidc_util_http_post_form(r, c->oauth.introspection_endpoint_url,
+			params, basic_auth, NULL, c->oauth.ssl_validate_server, response,
+			c->http_timeout_long, c->outgoing_proxy, dir_cfg->pass_cookies);
 }
 
 /*

src/proto.c

@@ -779,6 +779,10 @@ static apr_byte_t oidc_proto_token_endpoint_request(request_rec *r,
 		char **id_token, char **access_token, char **token_type,
 		int *expires_in, char **refresh_token) {
 
+	/* get a handle to the directory config */
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+
 	const char *response = NULL;
 
 	/* see if we need to do basic auth or auth-through-post-params (both applied through the HTTP POST method though) */
@@ -800,7 +804,8 @@ static apr_byte_t oidc_proto_token_endpoint_request(request_rec *r,
 	/* send the refresh request to the token endpoint */
 	if (oidc_util_http_post_form(r, provider->token_endpoint_url, params,
 			basic_auth, NULL, provider->ssl_validate_server, &response,
-			cfg->http_timeout_long, cfg->outgoing_proxy) == FALSE) {
+			cfg->http_timeout_long, cfg->outgoing_proxy,
+			dir_cfg->pass_cookies) == FALSE) {
 		oidc_warn(r, "error when calling the token endpoint (%s)",
 				provider->token_endpoint_url);
 		return FALSE;
@@ -889,13 +894,18 @@ apr_byte_t oidc_proto_resolve_userinfo(request_rec *r, oidc_cfg *cfg,
 		oidc_provider_t *provider, const char *access_token,
 		const char **response, json_t **claims) {
 
+	/* get a handle to the directory config */
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+
 	oidc_debug(r, "enter, endpoint=%s, access_token=%s",
 			provider->userinfo_endpoint_url, access_token);
 
 	/* get the JSON response */
 	if (oidc_util_http_get(r, provider->userinfo_endpoint_url,
 			NULL, NULL, access_token, provider->ssl_validate_server, response,
-			cfg->http_timeout_long, cfg->outgoing_proxy) == FALSE)
+			cfg->http_timeout_long, cfg->outgoing_proxy,
+			dir_cfg->pass_cookies) == FALSE)
 		return FALSE;
 
 	/* decode and check for an "error" response */
@@ -908,6 +918,10 @@ apr_byte_t oidc_proto_resolve_userinfo(request_rec *r, oidc_cfg *cfg,
 apr_byte_t oidc_proto_account_based_discovery(request_rec *r, oidc_cfg *cfg,
 		const char *acct, char **issuer) {
 
+	/* get a handle to the directory config */
+	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+			&auth_openidc_module);
+
 	// TODO: maybe show intermediate/progress screen "discovering..."
 
 	oidc_debug(r, "enter, acct=%s", acct);
@@ -929,7 +943,8 @@ apr_byte_t oidc_proto_account_based_discovery(request_rec *r, oidc_cfg *cfg,
 	const char *response = NULL;
 	if (oidc_util_http_get(r, url, params, NULL, NULL,
 			cfg->provider.ssl_validate_server, &response,
-			cfg->http_timeout_short, cfg->outgoing_proxy) == FALSE) {
+			cfg->http_timeout_short, cfg->outgoing_proxy,
+			dir_cfg->pass_cookies) == FALSE) {
 		/* errors will have been logged by now */
 		return FALSE;
 	}

src/util.c

@@ -413,11 +413,13 @@ static int oidc_http_add_form_url_encoded_param(void* rec, const char* key,
 static apr_byte_t oidc_util_http_call(request_rec *r, const char *url,
 		const char *data, const char *content_type, const char *basic_auth,
 		const char *bearer_token, int ssl_validate_server,
-		const char **response, int timeout, const char *outgoing_proxy) {
+		const char **response, int timeout, const char *outgoing_proxy,
+		apr_array_header_t *pass_cookies) {
 	char curlError[CURL_ERROR_SIZE];
 	oidc_curl_buffer curlBuffer;
 	CURL *curl;
 	struct curl_slist *h_list = NULL;
+	int i;
 
 	/* do some logging about the inputs */
 	oidc_debug(r,
@@ -498,6 +500,28 @@ static apr_byte_t oidc_util_http_call(request_rec *r, const char *url,
 	if (h_list != NULL)
 		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h_list);
 
+	/* gather cookies that we need to pass on from the incoming request */
+	char *cookie_string = NULL;
+	for (i = 0; i < pass_cookies->nelts; i++) {
+		const char *cookie_name = ((const char**) pass_cookies->elts)[i];
+		char *cookie_value = oidc_util_get_cookie(r, cookie_name);
+		if (cookie_value != NULL) {
+			cookie_string =
+					(cookie_string == NULL) ?
+							apr_psprintf(r->pool, "%s=%s", cookie_name,
+									cookie_value) :
+									apr_psprintf(r->pool, "%s; %s=%s", cookie_string,
+											cookie_name, cookie_value);
+		}
+	}
+
+	/* see if we need to pass any cookies */
+	if (cookie_string != NULL) {
+		oidc_debug(r, "passing browser cookies on backend call: %s",
+				cookie_string);
+		curl_easy_setopt(curl, CURLOPT_COOKIE, cookie_string);
+	}
+
 	/* set the target URL */
 	curl_easy_setopt(curl, CURLOPT_URL, url);
 
@@ -514,7 +538,7 @@ static apr_byte_t oidc_util_http_call(request_rec *r, const char *url,
 	/* set and log the response */
 	oidc_debug(r, "response=%s", *response);
 
-	out:
+out:
 
 	/* cleanup and return the result */
 	if (h_list != NULL)
@@ -530,7 +554,8 @@ static apr_byte_t oidc_util_http_call(request_rec *r, const char *url,
 apr_byte_t oidc_util_http_get(request_rec *r, const char *url,
 		const apr_table_t *params, const char *basic_auth,
 		const char *bearer_token, int ssl_validate_server,
-		const char **response, int timeout, const char *outgoing_proxy) {
+		const char **response, int timeout, const char *outgoing_proxy,
+		apr_array_header_t *pass_cookies) {
 
 	if ((params != NULL) && (apr_table_elts(params)->nelts > 0)) {
 		oidc_http_encode_t data = { r, "" };
@@ -541,7 +566,8 @@ apr_byte_t oidc_util_http_get(request_rec *r, const char *url,
 	}
 
 	return oidc_util_http_call(r, url, NULL, NULL, basic_auth, bearer_token,
-			ssl_validate_server, response, timeout, outgoing_proxy);
+			ssl_validate_server, response, timeout, outgoing_proxy,
+			pass_cookies);
 }
 
 /*
@@ -550,7 +576,8 @@ apr_byte_t oidc_util_http_get(request_rec *r, const char *url,
 apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url,
 		const apr_table_t *params, const char *basic_auth,
 		const char *bearer_token, int ssl_validate_server,
-		const char **response, int timeout, const char *outgoing_proxy) {
+		const char **response, int timeout, const char *outgoing_proxy,
+		apr_array_header_t *pass_cookies) {
 
 	const char *data = NULL;
 	if ((params != NULL) && (apr_table_elts(params)->nelts > 0)) {
@@ -563,7 +590,8 @@ apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url,
 
 	return oidc_util_http_call(r, url, data,
 			"application/x-www-form-urlencoded", basic_auth, bearer_token,
-			ssl_validate_server, response, timeout, outgoing_proxy);
+			ssl_validate_server, response, timeout, outgoing_proxy,
+			pass_cookies);
 }
 
 /*
@@ -572,7 +600,7 @@ apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url,
 apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url,
 		const json_t *json, const char *basic_auth, const char *bearer_token,
 		int ssl_validate_server, const char **response, int timeout,
-		const char *outgoing_proxy) {
+		const char *outgoing_proxy, apr_array_header_t *pass_cookies) {
 
 	char *data = NULL;
 	if (json != NULL) {
@@ -583,7 +611,7 @@ apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url,
 
 	return oidc_util_http_call(r, url, data, "application/json", basic_auth,
 			bearer_token, ssl_validate_server, response, timeout,
-			outgoing_proxy);
+			outgoing_proxy, pass_cookies);
 }
 
 /*