Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Claims never added to session when OIDCPassIDTokenAs is set to serialized #129

Closed
DavidOfDoncaster opened this issue Apr 1, 2016 · 4 comments
Closed

JWT Claims never added to session when OIDCPassIDTokenAs is set to serialized #129

DavidOfDoncaster opened this issue Apr 1, 2016 · 4 comments

Comments

@DavidOfDoncaster
Copy link

This bug prevents the use of authorization via "require" directives as the claims aren't available.

See below from mod_auth_openidc.c starting at line 1015:

if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_CLAIMS)) {
    /* set the id_token in the app headers + request state */
    if (oidc_set_app_claims(r, cfg, session,
            OIDC_IDTOKEN_CLAIMS_SESSION_KEY) == FALSE)
        return HTTP_INTERNAL_SERVER_ERROR;
}

if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_PAYLOAD)) {
    const char *s_id_token = NULL;
    /* get the string-encoded JSON object from the session */
    oidc_session_get(r, session, OIDC_IDTOKEN_CLAIMS_SESSION_KEY,
            &s_id_token);
    /* pass it to the app in a header or environment variable */
    oidc_util_set_app_info(r, "id_token_payload", s_id_token,
            OIDC_DEFAULT_HEADER_PREFIX, dir_cfg->pass_info_in_headers,
            dir_cfg->pass_info_in_env_vars);
}

if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
    const char *s_id_token = NULL;
    /* get the compact serialized JWT from the session */
    oidc_session_get(r, session, OIDC_IDTOKEN_SESSION_KEY, &s_id_token);
    /* pass it to the app in a header or environment variable */
    oidc_util_set_app_info(r, "id_token", s_id_token,
            OIDC_DEFAULT_HEADER_PREFIX, dir_cfg->pass_info_in_headers,
            dir_cfg->pass_info_in_env_vars);
}

the claims are never set when the selection is serialized
@zandbelt
Copy link
Member

zandbelt commented Apr 1, 2016

Well, if you set OIDCPassIDTokenAs serialized it should mean that you want the ID token to be passed verbatim to the backend and not set the values as claims in headers; if you want both you'd use OIDCPassIDTokenAs claims serialized; are you saying that the latter doesn't work?

@zandbelt
Copy link
Member

zandbelt commented Apr 9, 2016

any update here or can I assume that it was a matter of configuring the right setting?

@DavidOfDoncaster
Copy link
Author

Sorry Hans,

I forgot to get back to you. Changing the configurations worked like you
said. I just find it odd that how i want the claims to be sent to me alters
the methods available to me for authorization. Is there a reasoning for
this?

Thanks,
Mike
On Apr 9, 2016 8:30 AM, "Hans Zandbelt" notifications@github.com wrote:

any update here or can I assume that it was a matter of configuring the
right setting?


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#129 (comment)

@zandbelt
Copy link
Member

zandbelt commented Apr 9, 2016

ah, I got misled by the title of the issue and thought it was about claims being passed to your application session; I see what you mean now and I'll take a second look

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zandbelt @DavidOfDoncaster