apply ISO-8859-1 as default encoding mechanism for claim values

passed in headers and environment variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use "OIDCPassClaimsAs <any> none" for backwards compatibility; bump to 2.4.15rc3 Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
OpenIDC · Nov 2, 2023 · 28e79bf · 28e79bf
1 parent 8ffa1c3
commit 28e79bf
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 12 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+11/02/2023
+- apply ISO-8859-1 ("latin1") as default encoding mechanism for claim values passed in headers and environment
+  variables to comply with https://www.rfc-editor.org/rfc/rfc5987; see #957; use "OIDCPassClaimsAs <any> none"
+  for backwards compatibility
+- bump to 2.4.15rc3
+
 11/01/2023
 - avoid warnings on cache misses (regression introduced in 2.4.15rc1)
 - bump to 2.4.15rc2

diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -843,15 +843,16 @@
 # "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
 # "both": claims/tokens are passed as both headers as well as environment variables (default)
 #
-# "base64url" can be specified as the 2nd argument to apply base64url encoding to all values passed
-# in headers. Alternatively the "latin1" option can be specified to apply ISO-8859-1 encoding to all
-# values passed in headers as well as environment variables, which may result in out of bound
-# characters converted to the "?" character.
-# When not defined the default is "both" and no encoding is applied to the header/environment values.
+# A second parameter can be specified that defines the encodong applied to all values passed in headers
+# and environment variables:
+#   "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character.
+#   "base64url" applies base64url encoding
+#   "none" applies no encoding and copies literal values from the claims into the headers/environment variables
+# When not defined the default is "both" and "latin1" encoding is applied to the header/environment values.
 #
 # The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires.
 # The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken)
-#OIDCPassClaimsAs [none|headers|environment|both] [base64url|latin1]
+#OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none]
 
 # Specify the HTTP header variable name to set with the name of the authenticated user,
 # i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim.

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.15rc2],[hans.zandbelt@openidc.com])
+AC_INIT([mod_auth_openidc],[2.4.15rc3],[hans.zandbelt@openidc.com])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/config.c b/src/config.c
@@ -145,7 +145,7 @@
 /* default for passing app info in environment variables */
 #define OIDC_DEFAULT_PASS_APP_INFO_IN_ENVVARS 1
 /* default for passing app info in base64 encoded format */
-#define OIDC_DEFAULT_PASS_APP_INFO_HDR_AS 0
+#define OIDC_DEFAULT_PASS_APP_INFO_HDR_AS OIDC_PASS_APP_INFO_AS_LATIN1
 /* default value for the token introspection interval (0 = disabled, no expiry of claims) */
 #define OIDC_DEFAULT_TOKEN_INTROSPECTION_INTERVAL 0
 /* default action to take on an incoming unauthenticated request */
@@ -1128,6 +1128,7 @@ static const char* oidc_set_remote_user_claim(cmd_parms *cmd, void *struct_ptr,
 
 /*
  * define how to pass claims information to the application: in headers and/or environment variables
+ * and optionally specify the encoding applied to the values
  */
 static const char* oidc_set_pass_claims_as(cmd_parms *cmd, void *m,
 		const char *arg1, const char *arg2) {
@@ -1140,11 +1141,14 @@ static const char* oidc_set_pass_claims_as(cmd_parms *cmd, void *m,
 				dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_BASE64URL;
 			} else if (_oidc_strcmp(arg2, "latin1") == 0) {
 				dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_LATIN1;
+			} else if (_oidc_strcmp(arg2, "none") == 0) {
+				dir_cfg->pass_info_as = OIDC_PASS_APP_INFO_AS_NONE;
 			} else {
-				rv = apr_pstrcat(cmd->temp_pool, "unknown encoding option \"",
-						arg2,
-						"\", only \"base64url\" or \"latin1\" is supported",
-						NULL);
+				rv =
+						apr_pstrcat(cmd->temp_pool,
+								"unknown encoding option \"", arg2,
+								"\", only \"base64url\", \"latin1\" or \"none\" is supported",
+								NULL);
 			}
 		}
 	}

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -162,6 +162,7 @@ APLOG_USE_MODULE(auth_openidc);
 /* pass as re-signed JWT including id_token claims */
 #define OIDC_PASS_USERINFO_AS_SIGNED_JWT   4
 
+#define OIDC_PASS_APP_INFO_AS_NONE      0
 #define OIDC_PASS_APP_INFO_AS_BASE64URL 1
 #define OIDC_PASS_APP_INFO_AS_LATIN1    2