support 3rd-party initiated login as defined in the spec

Hans Zandbelt · Hans Zandbelt · commit f7723c686d69 · 2014-06-12T15:08:25.000+02:00
see: http://openid.net/specs/openid-connect-core-1_0.html section: 4. Initiating Login from a Third Party
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+6/12/2014
+- support third-party-initiated login as defined in the spec
+
 6/6/2014
 - more changes for Debian packaging (1.5-3)
 
diff --git a/README.md b/README.md
@@ -162,18 +162,19 @@ And the related **mod_auth_openidc** Apache config section:
 If you do not want to use the internal discovery page (you really shouldn't...), you
 can have the user being redirected to an external discovery page by setting
 `OIDCDiscoveryURL`. That URL will be accessed with 2 parameters, `oidc_callback` and
-`oidc_return` (both URLs). The `oidc_return` parameter value needs to be returned to the
-`oidc_callback` URL (again in the `oidc_return parameter`) together with an
-`oidc_provider` parameter that contains the URL-encoded issuer value of the
+`target_link_uri` (both URLs). The `target_link_uri` parameter value needs to be returned to the
+`oidc_callback` URL (again in the `target_link_uri parameter`) together with an
+`iss` parameter that contains the URL-encoded issuer value of the
 selected Provider, or a URL-encoded account name for OpenID Connect Discovery
 purposes (aka. e-mail style identifier), or a domain name.
 
 Sample callback:
 
-    ${oidc_callback}?oidc_return=${oidc_return}&oidc_provider=[${issuer}|${domain}|${e-mail-style-account-name}]
+    <oidc_callback>?target_link_uri=<target_link_uri>&iss=[<issuer>|<domain>|<e-mail-style-account-name>]
 
-This is also the way of kicking off SSO to a specific provider from an
-external application/site when multiple OPs have been configured.
+This is also the OpenID Connect specified way of triggering 3rd party initiated SSO 
+to a specific provider when multiple OPs have been configured. In that case the callback
+may also contain a "login_hint" parameter with the login identifier the user might use to log in.
 
 
 ###Sample Config for PingFederate OpenID Connect & OAuth 2.0
diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -229,6 +229,12 @@ OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata
 # When not defined the bare-bones internal OP Discovery page is used.
 #OIDCDiscoverURL <discovery-url>
 
+# (Optional)
+# Defines a default URL to be used in case of 3rd-party or OP initiated
+# SSO when no explicit target_link_uri has been provided.
+# When not default, 3rd-party SSO must be done with a specified \"target_link_uri\" parameter.
+#OIDCDefaultURL <default-url>
+
 # (Optional)
 # Extra parameters that will be sent along with the Authorization Request.
 # These must be URL-query-encoded as in: "display=popup&prompt=consent" or
diff --git a/src/config.c b/src/config.c
@@ -473,6 +473,7 @@ void *oidc_create_server_config(apr_pool_t *pool, server_rec *svr) {
 
 	c->redirect_uri = NULL;
 	c->discover_url = NULL;
+	c->default_url = NULL;
 	c->public_keys = NULL;
 	c->private_keys = NULL;
 
@@ -555,6 +556,8 @@ void *oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) {
 			add->redirect_uri != NULL ? add->redirect_uri : base->redirect_uri;
 	c->discover_url =
 			add->discover_url != NULL ? add->discover_url : base->discover_url;
+	c->default_url =
+			add->default_url != NULL ? add->default_url : base->default_url;
 	c->public_keys =
 			add->public_keys != NULL ? add->public_keys : base->public_keys;
 	c->private_keys =
@@ -1249,6 +1252,10 @@ const command_rec oidc_config_cmds[] = {
 				(void *)APR_OFFSETOF(oidc_cfg, discover_url),
 				RSRC_CONF,
 				"Defines an external IDP Discovery page"),
+		AP_INIT_TAKE1("OIDCDefaultURL", oidc_set_string_slot,
+				(void *)APR_OFFSETOF(oidc_cfg, default_url),
+				RSRC_CONF,
+				"Defines the default URL where the user is directed to in case of 3rd-party initiated SSO."),
 		AP_INIT_TAKE1("OIDCCookieDomain",
 				oidc_set_cookie_domain, NULL, RSRC_CONF,
 				"Specify domain element for OIDC session cookie."),
diff --git a/src/metadata.c b/src/metadata.c
@@ -848,6 +848,8 @@ static apr_byte_t oidc_metadata_client_get(request_rec *r, oidc_cfg *cfg,
 					provider->userinfo_encrypted_response_enc);
 		}
 
+		apr_table_addn(params, "initiate_login_uri",
+				cfg->redirect_uri);
 	}
 
 	/* try and get it from there, checking it and storing it if successful */
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -280,10 +280,13 @@ static apr_byte_t oidc_unsolicited_proto_state(request_rec *r, oidc_cfg *c,
 	char *target_uri = NULL;
 	apr_jwt_get_string(r->pool, &jwt->payload.value, "target_uri", &target_uri);
 	if (target_uri == NULL) {
-		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-				"oidc_unsolicited_proto_state: no \"target_uri\" claim could be retrieved from JWT state, aborting");
-		apr_jwt_destroy(jwt);
-		return FALSE;
+		if (c->default_url == NULL) {
+			ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+				"oidc_unsolicited_proto_state: no \"target_uri\" claim could be retrieved from JWT state and no OIDCDefaultURL is set, aborting");
+			apr_jwt_destroy(jwt);
+			return FALSE;
+		}
+		target_uri = c->default_url;
 	}
 
 	if (c->metadata_dir != NULL) {
@@ -1082,7 +1085,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
  * authenticate the user to the selected OP, if the OP is not selected yet perform discovery first
  */
 static int oidc_authenticate_user(request_rec *r, oidc_cfg *c,
-		oidc_provider_t *provider, const char *original_url) {
+		oidc_provider_t *provider, const char *original_url, const char *login_hint) {
 
 	ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
 			"oidc_authenticate_user: entering");
@@ -1161,7 +1164,7 @@ static int oidc_authenticate_user(request_rec *r, oidc_cfg *c,
 
 	/* send off to the OpenID Connect Provider */
 	// TODO: maybe show intermediate/progress screen "redirecting to"
-	return oidc_proto_authorization_request(r, provider, c->redirect_uri, state, &proto_state);
+	return oidc_proto_authorization_request(r, provider, login_hint, c->redirect_uri, state, &proto_state);
 }
 
 /*
@@ -1170,40 +1173,56 @@ static int oidc_authenticate_user(request_rec *r, oidc_cfg *c,
 static apr_byte_t oidc_is_discovery_response(request_rec *r, oidc_cfg *cfg) {
 	/*
 	 * prereq: this is a call to the configured redirect_uri, now see if:
-	 * the OIDC_RT_PARAM_NAME parameter is present and
-	 * the OIDC_DISC_ACCT_PARAM or OIDC_DISC_OP_PARAM is present
+	 * the OIDC_DISC_OP_PARAM is present
 	 */
-	return (oidc_util_request_has_parameter(r, OIDC_DISC_RT_PARAM)
-			&& (oidc_util_request_has_parameter(r, OIDC_DISC_OP_PARAM)));
+	return oidc_util_request_has_parameter(r, OIDC_DISC_OP_PARAM);
 }
 
 /*
  * handle a response from an IDP discovery page
  */
 static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
 
-	/* variables to hold the values (original_url+issuer or original_url+acct) returned in the response */
-	char *issuer = NULL, *original_url = NULL;
+	/* variables to hold the values returned in the response */
+	char *issuer = NULL, *target_link_uri = NULL, *login_hint = NULL;
 	oidc_provider_t *provider = NULL;
 
 	oidc_util_get_request_parameter(r, OIDC_DISC_OP_PARAM, &issuer);
-	oidc_util_get_request_parameter(r, OIDC_DISC_RT_PARAM, &original_url);
+	oidc_util_get_request_parameter(r, OIDC_DISC_RT_PARAM, &target_link_uri);
+	oidc_util_get_request_parameter(r, OIDC_DISC_LH_PARAM, &login_hint);
 
 	// TODO: trim issuer/accountname/domain input and do more input validation
 
 	ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r,
-			"oidc_handle_discovery_response: issuer=\"%s\", original_url=\"%s\"",
-			issuer, original_url);
+			"oidc_handle_discovery_response: issuer=\"%s\", target_link_uri=\"%s\", login_hint=\"%s\"",
+			issuer, target_link_uri, login_hint);
 
-	if ((issuer == NULL) || (original_url == NULL)) {
+	if (issuer == NULL) {
 		return oidc_util_http_sendstring(r,
 				"mod_auth_openidc: wherever you came from, it sent you here with the wrong parameters...",
 				HTTP_INTERNAL_SERVER_ERROR);
 	}
 
+	if (target_link_uri == NULL) {
+		if (c->default_url == NULL) {
+			return oidc_util_http_sendstring(r,
+					"mod_auth_openidc: 3rd party initiated SSO to this module without specifying a \"target_link_uri\" parameter is not possible because OIDCDefaultURL is not set.",
+					HTTP_INTERNAL_SERVER_ERROR);
+		}
+		target_link_uri = c->default_url;
+	}
+
+	// TODO: check that target_link_uri matches OIDCCookieDomain and/or OIDCRedirectURI
+
 	/* find out if the user entered an account name or selected an OP manually */
 	if (strstr(issuer, "@") != NULL) {
 
+		if (login_hint == NULL) {
+			login_hint = apr_pstrdup(r->pool, issuer);
+			//char *p = strstr(issuer, "@");
+			//*p = '\0';
+		}
+
 		/* got an account name as input, perform OP discovery with that */
 		if (oidc_proto_account_based_discovery(r, c, issuer, &issuer) == FALSE) {
 
@@ -1234,7 +1253,7 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
 			&& (provider != NULL)) {
 
 		/* now we've got a selected OP, send the user there to authenticate */
-		return oidc_authenticate_user(r, c, provider, original_url);
+		return oidc_authenticate_user(r, c, provider, target_link_uri, login_hint);
 	}
 
 	/* something went wrong */
@@ -1406,7 +1425,7 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {
 	}
 
 	/* no session (regardless of whether it is main or sub-request), go and authenticate the user */
-	return oidc_authenticate_user(r, c, NULL, oidc_get_current_url(r, c));
+	return oidc_authenticate_user(r, c, NULL, oidc_get_current_url(r, c), NULL);
 }
 
 /*
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -84,9 +84,11 @@ APLOG_USE_MODULE(auth_openidc);
 /* parameter name of the callback URL in the discovery response */
 #define OIDC_DISC_CB_PARAM "oidc_callback"
 /* parameter name of the OP provider selection in the discovery response */
-#define OIDC_DISC_OP_PARAM "oidc_provider"
+#define OIDC_DISC_OP_PARAM "iss"
 /* parameter name of the original URL in the discovery response */
-#define OIDC_DISC_RT_PARAM "oidc_return"
+#define OIDC_DISC_RT_PARAM "target_link_uri"
+/* parameter name of login hint in the discovery response */
+#define OIDC_DISC_LH_PARAM "login_hint"
 
 /* value that indicates to use server-side cache based session tracking */
 #define OIDC_SESSION_TYPE_22_SERVER_CACHE 0
@@ -161,6 +163,8 @@ typedef struct oidc_cfg {
 	char *redirect_uri;
 	/* (optional) external OP discovery page */
 	char *discover_url;
+	/* (optional) default URL for 3rd-party initiated SSO */
+	char *default_url;
 
 	/* public keys in JWK format, used by parters for encrypting JWTs sent to us */
 	apr_hash_t *public_keys;
@@ -241,7 +245,7 @@ typedef struct oidc_proto_state {
 	apr_time_t timestamp;
 } oidc_proto_state;
 
-int oidc_proto_authorization_request(request_rec *r, struct oidc_provider_t *provider, const char *redirect_uri, const char *state, oidc_proto_state *proto_state);
+int oidc_proto_authorization_request(request_rec *r, struct oidc_provider_t *provider, const char *login_hint, const char *redirect_uri, const char *state, oidc_proto_state *proto_state);
 apr_byte_t oidc_proto_is_post_authorization_response(request_rec *r, oidc_cfg *cfg);
 apr_byte_t oidc_proto_is_redirect_authorization_response(request_rec *r, oidc_cfg *cfg);
 apr_byte_t oidc_proto_check_token_type(request_rec *r, oidc_provider_t *provider, const char *token_type);
diff --git a/src/proto.c b/src/proto.c
@@ -110,7 +110,7 @@ int oidc_proto_authorization_request_post_preserve(request_rec *r,
  * send an OpenID Connect authorization request to the specified provider
  */
 int oidc_proto_authorization_request(request_rec *r,
-		struct oidc_provider_t *provider, const char *redirect_uri,
+		struct oidc_provider_t *provider, const char *login_hint, const char *redirect_uri,
 		const char *state, oidc_proto_state *proto_state) {
 
 	/* log some stuff */
@@ -149,10 +149,11 @@ int oidc_proto_authorization_request(request_rec *r,
 				authorization_request,
 				oidc_util_escape_string(r, proto_state->response_mode));
 
-	/* preserve POSTed form parameters if enabled */
-	if (apr_strnatcmp(proto_state->original_method, "form_post") == 0)
-		return oidc_proto_authorization_request_post_preserve(r,
-				authorization_request);
+	/* add the login_hint if provided */
+	if (login_hint != NULL)
+		authorization_request = apr_psprintf(r->pool, "%s&login_hint=%s",
+				authorization_request,
+				oidc_util_escape_string(r, login_hint));
 
 	/* add any custom authorization request parameters if configured */
 	if (provider->auth_request_params != NULL) {
@@ -161,6 +162,11 @@ int oidc_proto_authorization_request(request_rec *r,
 				provider->auth_request_params);
 	}
 
+	/* preserve POSTed form parameters if enabled */
+	if (apr_strnatcmp(proto_state->original_method, "form_post") == 0)
+		return oidc_proto_authorization_request_post_preserve(r,
+				authorization_request);
+
 	/* add the redirect location header */
 	apr_table_add(r->headers_out, "Location", authorization_request);
 

Original file line number	Diff line number	Diff line change
`@@ -848,6 +848,8 @@ static apr_byte_t oidc_metadata_client_get(request_rec r, oidc_cfg cfg,`
`848`	`848`	`provider->userinfo_encrypted_response_enc);`
`849`	`849`	`}`
`850`	`850`
	`851`	`+ apr_table_addn(params, "initiate_login_uri",`
	`852`	`+ cfg->redirect_uri);`
`851`	`853`	`}`
`852`	`854`
`853`	`855`	`/* try and get it from there, checking it and storing it if successful */`