|
 |
6e7331 |
From db7d4ffb3bf3b0830da7f0662682cac8da437685 Mon Sep 17 00:00:00 2001
|
|
|
6e7331 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6e7331 |
Date: Wed, 26 Aug 2020 14:52:17 +0200
|
|
|
6e7331 |
Subject: [PATCH] Only set Same-Site=None if an option is set
|
|
|
6e7331 |
|
|
|
6e7331 |
---
|
|
|
6e7331 |
auth_openidc.conf | 5 +++++
|
|
|
6e7331 |
src/config.c | 11 +++++++++++
|
|
|
6e7331 |
src/mod_auth_openidc.c | 6 +++---
|
|
|
6e7331 |
src/mod_auth_openidc.h | 2 ++
|
|
|
6e7331 |
src/session.c | 6 ++++--
|
|
|
6e7331 |
src/util.c | 12 ++++++++++++
|
|
|
6e7331 |
6 files changed, 37 insertions(+), 5 deletions(-)
|
|
|
6e7331 |
|
|
|
6e7331 |
diff --git a/auth_openidc.conf b/auth_openidc.conf
|
|
|
6e7331 |
index 056b2e4..87ae552 100644
|
|
|
6e7331 |
--- a/auth_openidc.conf
|
|
|
6e7331 |
+++ b/auth_openidc.conf
|
|
|
6e7331 |
@@ -514,6 +514,11 @@
|
|
|
6e7331 |
# When not defined the default is "mod_auth_openidc_session".
|
|
|
6e7331 |
#OIDCCookie <cookie-name>
|
|
|
6e7331 |
|
|
|
6e7331 |
+# Defines whether the SameSite flag will be set to None on the session cookie.
|
|
|
6e7331 |
+# When On, the session cookie will have SameSite=None set.
|
|
|
6e7331 |
+# When not defined the default is Off.
|
|
|
6e7331 |
+#OIDCCookieSameSiteNone [On|Off]
|
|
|
6e7331 |
+
|
|
|
6e7331 |
# (Optional)
|
|
|
6e7331 |
# Defines whether the HttpOnly flag will be set on cookies.
|
|
|
6e7331 |
# When not defined the default is On.
|
|
|
6e7331 |
diff --git a/src/config.c b/src/config.c
|
|
|
6e7331 |
index 999d4ee..2cdc5ed 100644
|
|
|
6e7331 |
--- a/src/config.c
|
|
|
6e7331 |
+++ b/src/config.c
|
|
|
6e7331 |
@@ -85,6 +85,8 @@
|
|
|
6e7331 |
#define OIDC_DEFAULT_OAUTH_CLAIM_REMOTE_USER "sub"
|
|
|
6e7331 |
/* default name of the session cookie */
|
|
|
6e7331 |
#define OIDC_DEFAULT_COOKIE "mod_auth_openidc_session"
|
|
|
6e7331 |
+/* set Same-Site=None flag on session cookie */
|
|
|
6e7331 |
+#define OIDC_DEFAULT_COOKIE_SAME_SITE_NONE 0
|
|
|
6e7331 |
/* default for the HTTP header name in which the remote user name is passed */
|
|
|
6e7331 |
#define OIDC_DEFAULT_AUTHN_HEADER NULL
|
|
|
6e7331 |
/* scrub HTTP headers by default unless overridden (and insecure) */
|
|
|
6e7331 |
@@ -1050,6 +1052,7 @@ void *oidc_create_server_config(apr_pool_t *pool, server_rec *svr) {
|
|
|
6e7331 |
c->remote_user_claim.reg_exp = NULL;
|
|
|
6e7331 |
c->pass_idtoken_as = OIDC_PASS_IDTOKEN_AS_CLAIMS;
|
|
|
6e7331 |
c->cookie_http_only = OIDC_DEFAULT_COOKIE_HTTPONLY;
|
|
|
6e7331 |
+ c->cookie_same_site_none = OIDC_DEFAULT_COOKIE_SAME_SITE_NONE;
|
|
|
6e7331 |
|
|
|
6e7331 |
c->outgoing_proxy = NULL;
|
|
|
6e7331 |
c->crypto_passphrase = NULL;
|
|
|
6e7331 |
@@ -1373,6 +1376,9 @@ void *oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) {
|
|
|
6e7331 |
c->cookie_http_only =
|
|
|
6e7331 |
add->cookie_http_only != OIDC_DEFAULT_COOKIE_HTTPONLY ?
|
|
|
6e7331 |
add->cookie_http_only : base->cookie_http_only;
|
|
|
6e7331 |
+ c->cookie_same_site_none =
|
|
|
6e7331 |
+ add->cookie_same_site_none != OIDC_DEFAULT_COOKIE_SAME_SITE_NONE ?
|
|
|
6e7331 |
+ add->cookie_same_site_none : base->cookie_same_site_none;
|
|
|
6e7331 |
|
|
|
6e7331 |
c->outgoing_proxy =
|
|
|
6e7331 |
add->outgoing_proxy != NULL ?
|
|
|
6e7331 |
@@ -2029,6 +2035,11 @@ const command_rec oidc_config_cmds[] = {
|
|
|
6e7331 |
(void *) APR_OFFSETOF(oidc_cfg, cookie_http_only),
|
|
|
6e7331 |
RSRC_CONF,
|
|
|
6e7331 |
"Defines whether or not the cookie httponly flag is set on cookies."),
|
|
|
6e7331 |
+ AP_INIT_FLAG("OIDCCookieSameSiteNone",
|
|
|
6e7331 |
+ oidc_set_flag_slot,
|
|
|
6e7331 |
+ (void *) APR_OFFSETOF(oidc_cfg, cookie_same_site_none),
|
|
|
6e7331 |
+ RSRC_CONF,
|
|
|
6e7331 |
+ "Defines whether or not the cookie Same-Site flag is set to None on session cookies."),
|
|
|
6e7331 |
AP_INIT_TAKE1("OIDCOutgoingProxy",
|
|
|
6e7331 |
oidc_set_string_slot,
|
|
|
6e7331 |
(void*)APR_OFFSETOF(oidc_cfg, outgoing_proxy),
|
|
|
6e7331 |
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
|
|
|
6e7331 |
index a4429a6..efae0f3 100644
|
|
|
6e7331 |
--- a/src/mod_auth_openidc.c
|
|
|
6e7331 |
+++ b/src/mod_auth_openidc.c
|
|
|
6e7331 |
@@ -576,7 +576,7 @@ static apr_byte_t oidc_authorization_request_set_cookie(request_rec *r,
|
|
|
6e7331 |
const char *cookieName = oidc_get_state_cookie_name(r, state);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* set it as a cookie */
|
|
|
6e7331 |
- oidc_util_set_cookie(r, cookieName, cookieValue, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, cookieName, cookieValue, -1, oidc_util_cookie_ext_value(c));
|
|
|
6e7331 |
|
|
|
6e7331 |
free(s_value);
|
|
|
6e7331 |
|
|
|
6e7331 |
@@ -1644,7 +1644,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
|
|
|
6e7331 |
oidc_debug(r, "redirecting to external discovery page: %s", url);
|
|
|
6e7331 |
|
|
|
6e7331 |
/* set CSRF cookie */
|
|
|
6e7331 |
- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, oidc_util_cookie_ext_value(cfg));
|
|
|
6e7331 |
|
|
|
6e7331 |
/* do the actual redirect to an external discovery page */
|
|
|
6e7331 |
apr_table_add(r->headers_out, "Location", url);
|
|
|
6e7331 |
@@ -1705,7 +1705,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) {
|
|
|
6e7331 |
"%s<input type=\"submit\" value=\"Submit\"> \n", s);
|
|
|
6e7331 |
s = apr_psprintf(r->pool, "%s</form>\n", s);
|
|
|
6e7331 |
|
|
|
6e7331 |
- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
6e7331 |
+ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, oidc_util_cookie_ext_value(cfg));
|
|
|
6e7331 |
|
|
|
6e7331 |
/* now send the HTML contents to the user agent */
|
|
|
6e7331 |
return oidc_util_html_send(r, "OpenID Connect Provider Discovery",
|
|
|
6e7331 |
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
|
|
|
6e7331 |
index cbace6a..546185c 100644
|
|
|
6e7331 |
--- a/src/mod_auth_openidc.h
|
|
|
6e7331 |
+++ b/src/mod_auth_openidc.h
|
|
|
6e7331 |
@@ -342,6 +342,7 @@ typedef struct oidc_cfg {
|
|
|
6e7331 |
oidc_remote_user_claim_t remote_user_claim;
|
|
|
6e7331 |
int pass_idtoken_as;
|
|
|
6e7331 |
int cookie_http_only;
|
|
|
6e7331 |
+ int cookie_same_site_none;
|
|
|
6e7331 |
|
|
|
6e7331 |
char *outgoing_proxy;
|
|
|
6e7331 |
|
|
|
6e7331 |
@@ -437,6 +438,7 @@ char *oidc_normalize_header_name(const request_rec *r, const char *str);
|
|
|
6e7331 |
|
|
|
6e7331 |
void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue, apr_time_t expires, const char *ext);
|
|
|
6e7331 |
char *oidc_util_get_cookie(request_rec *r, const char *cookieName);
|
|
|
6e7331 |
+const char *oidc_util_cookie_ext_value(oidc_cfg *c);
|
|
|
6e7331 |
apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies);
|
|
|
6e7331 |
apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies);
|
|
|
6e7331 |
apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url, const json_t *data, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies);
|
|
|
6e7331 |
diff --git a/src/session.c b/src/session.c
|
|
|
6e7331 |
index 7e7e2ac..f749f40 100644
|
|
|
6e7331 |
--- a/src/session.c
|
|
|
6e7331 |
+++ b/src/session.c
|
|
|
6e7331 |
@@ -380,7 +380,8 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) {
|
|
|
6e7331 |
|
|
|
6e7331 |
/* set the uuid in the cookie */
|
|
|
6e7331 |
oidc_util_set_cookie(r, d->cookie, key,
|
|
|
6e7331 |
- c->persistent_session_cookie ? z->expiry : -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
6e7331 |
+ c->persistent_session_cookie ? z->expiry : -1,
|
|
|
6e7331 |
+ oidc_util_cookie_ext_value(c));
|
|
|
6e7331 |
|
|
|
6e7331 |
/* store the string-encoded session in the cache */
|
|
|
6e7331 |
c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, z->encoded,
|
|
|
6e7331 |
@@ -430,7 +431,8 @@ static apr_status_t oidc_session_save_cookie(request_rec *r, session_rec *z) {
|
|
|
6e7331 |
}
|
|
|
6e7331 |
}
|
|
|
6e7331 |
oidc_util_set_cookie(r, d->cookie, cookieValue,
|
|
|
6e7331 |
- c->persistent_session_cookie ? z->expiry : -1, OIDC_COOKIE_EXT_SAME_SITE_NONE);
|
|
|
6e7331 |
+ c->persistent_session_cookie ? z->expiry : -1,
|
|
|
6e7331 |
+ oidc_util_cookie_ext_value(c));
|
|
|
6e7331 |
|
|
|
6e7331 |
return APR_SUCCESS;
|
|
|
6e7331 |
}
|
|
|
6e7331 |
diff --git a/src/util.c b/src/util.c
|
|
|
6e7331 |
index 6db64ac..963586a 100644
|
|
|
6e7331 |
--- a/src/util.c
|
|
|
6e7331 |
+++ b/src/util.c
|
|
|
6e7331 |
@@ -697,6 +697,18 @@ const char *oidc_util_set_cookie_append_value(request_rec *r, oidc_cfg *c) {
|
|
|
6e7331 |
return env_var_value;
|
|
|
6e7331 |
}
|
|
|
6e7331 |
|
|
|
6e7331 |
+const char *oidc_util_cookie_ext_value(oidc_cfg *c) {
|
|
|
6e7331 |
+ if (c == NULL) {
|
|
|
6e7331 |
+ return NULL;
|
|
|
6e7331 |
+ }
|
|
|
6e7331 |
+
|
|
|
6e7331 |
+ if (c->cookie_same_site_none == 0) {
|
|
|
6e7331 |
+ return NULL;
|
|
|
6e7331 |
+ }
|
|
|
6e7331 |
+
|
|
|
6e7331 |
+ return OIDC_COOKIE_EXT_SAME_SITE_NONE;
|
|
|
6e7331 |
+}
|
|
|
6e7331 |
+
|
|
|
6e7331 |
/*
|
|
|
6e7331 |
* set a cookie in the HTTP response headers
|
|
|
6e7331 |
*/
|
|
|
6e7331 |
--
|
|
|
6e7331 |
2.26.2
|
|
|
6e7331 |
|