diff --git a/SOURCES/0008-add-value-of-OIDC_SET_COOKIE_APPEND-env-var-to-Set-C.patch b/SOURCES/0008-add-value-of-OIDC_SET_COOKIE_APPEND-env-var-to-Set-C.patch new file mode 100644 index 0000000..c875ede --- /dev/null +++ b/SOURCES/0008-add-value-of-OIDC_SET_COOKIE_APPEND-env-var-to-Set-C.patch @@ -0,0 +1,86 @@ +From f34a1cfeefc7915fb12f05c74d3a8a60f60388fa Mon Sep 17 00:00:00 2001 +From: Hans Zandbelt +Date: Wed, 15 Jan 2020 17:58:53 +0100 +Subject: [PATCH 8/9] add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie + headers + +- useful for handling changing/upcoming SameSite behaviors across +different browsers, e.g.: + SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=SameSite=None +- bump to 2.4.1rc4 + +Signed-off-by: Hans Zandbelt +(cherry picked from commit a326dbe843a755124ecee883db52dcdc26284c26) +--- + ChangeLog | 5 +++++ + src/util.c | 27 +++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+) + +diff --git a/ChangeLog b/ChangeLog +index 6f28a3c..b3ed8f3 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,8 @@ ++01/15/2020 ++- add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers ++ useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.: ++ SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=SameSite=None ++ + 3/10/2016 + - release 1.8.8 + +diff --git a/src/util.c b/src/util.c +index b687cb6..472d0cd 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -676,6 +676,27 @@ static char *oidc_util_get_cookie_path(request_rec *r) { + return (rv); + } + ++#define OIDC_SET_COOKIE_APPEND_ENV_VAR "OIDC_SET_COOKIE_APPEND" ++ ++const char *oidc_util_set_cookie_append_value(request_rec *r, oidc_cfg *c) { ++ const char *env_var_value = NULL; ++ ++ if (r->subprocess_env != NULL) ++ env_var_value = apr_table_get(r->subprocess_env, ++ OIDC_SET_COOKIE_APPEND_ENV_VAR); ++ ++ if (env_var_value == NULL) { ++ oidc_debug(r, "no cookie append environment variable %s found", ++ OIDC_SET_COOKIE_APPEND_ENV_VAR); ++ return NULL; ++ } ++ ++ oidc_debug(r, "cookie append environment variable %s=%s found", ++ OIDC_SET_COOKIE_APPEND_ENV_VAR, env_var_value); ++ ++ return env_var_value; ++} ++ + /* + * set a cookie in the HTTP response headers + */ +@@ -685,6 +706,7 @@ void oidc_util_set_cookie(request_rec *r, const char *cookieName, + oidc_cfg *c = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + char *headerString, *currentCookies, *expiresString = NULL; ++ const char *appendString = NULL; + + /* see if we need to clear the cookie */ + if (apr_strnatcmp(cookieValue, "") == 0) +@@ -710,6 +732,11 @@ void oidc_util_set_cookie(request_rec *r, const char *cookieName, + ";Secure" : ""), + c->cookie_http_only != FALSE ? ";HttpOnly" : ""); + ++ appendString = oidc_util_set_cookie_append_value(r, c); ++ if (appendString != NULL) ++ headerString = apr_psprintf(r->pool, "%s; %s", headerString, ++ appendString); ++ + /* sanity check on overall cookie value size */ + if (strlen(headerString) > 4093) { + oidc_warn(r, +-- +2.26.2 + diff --git a/SOURCES/0009-Backport-setting-an-extra-cookie-parameter.patch b/SOURCES/0009-Backport-setting-an-extra-cookie-parameter.patch new file mode 100644 index 0000000..fda1519 --- /dev/null +++ b/SOURCES/0009-Backport-setting-an-extra-cookie-parameter.patch @@ -0,0 +1,139 @@ +From 8719323667740a50118cff15dfb6f4750524d19f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 26 Aug 2020 12:04:14 +0200 +Subject: [PATCH 9/9] Backport setting an extra cookie parameter + +--- + src/mod_auth_openidc.c | 12 ++++++------ + src/mod_auth_openidc.h | 2 +- + src/session.c | 6 +++--- + src/util.c | 4 +++- + 4 files changed, 13 insertions(+), 11 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 3a11a98..6c86271 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -477,7 +477,7 @@ static void oidc_clean_expired_state_cookies(request_rec *r, oidc_cfg *c) { + apr_time_t now = apr_time_sec(apr_time_now()); + if (now > json_integer_value(v) + c->state_timeout) { + oidc_error(r, "state has expired"); +- oidc_util_set_cookie(r, cookieName, "", 0); ++ oidc_util_set_cookie(r, cookieName, "", 0, NULL); + } + json_decref(state); + } +@@ -509,7 +509,7 @@ static apr_byte_t oidc_restore_proto_state(request_rec *r, oidc_cfg *c, + } + + /* clear state cookie because we don't need it anymore */ +- oidc_util_set_cookie(r, cookieName, "", 0); ++ oidc_util_set_cookie(r, cookieName, "", 0, NULL); + + *proto_state = oidc_get_state_from_cookie(r, cookieValue); + if (*proto_state == NULL) return FALSE; +@@ -576,7 +576,7 @@ static apr_byte_t oidc_authorization_request_set_cookie(request_rec *r, + const char *cookieName = oidc_get_state_cookie_name(r, state); + + /* set it as a cookie */ +- oidc_util_set_cookie(r, cookieName, cookieValue, -1); ++ oidc_util_set_cookie(r, cookieName, cookieValue, -1, NULL); + + free(s_value); + +@@ -1644,7 +1644,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { + oidc_debug(r, "redirecting to external discovery page: %s", url); + + /* set CSRF cookie */ +- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1); ++ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL); + + /* do the actual redirect to an external discovery page */ + apr_table_add(r->headers_out, "Location", url); +@@ -1705,7 +1705,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { + "%s

\n", s); + s = apr_psprintf(r->pool, "%s\n", s); + +- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1); ++ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL); + + /* now send the HTML contents to the user agent */ + return oidc_util_html_send(r, "OpenID Connect Provider Discovery", +@@ -1935,7 +1935,7 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) { + if (csrf_cookie) { + + /* clean CSRF cookie */ +- oidc_util_set_cookie(r, OIDC_CSRF_NAME, "", 0); ++ oidc_util_set_cookie(r, OIDC_CSRF_NAME, "", 0, NULL); + + /* compare CSRF cookie value with query parameter value */ + if ((csrf_query == NULL) +diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h +index 6f6bd92..d6c5050 100644 +--- a/src/mod_auth_openidc.h ++++ b/src/mod_auth_openidc.h +@@ -433,7 +433,7 @@ char *oidc_get_current_url(request_rec *r); + char *oidc_url_encode(const request_rec *r, const char *str, const char *charsToEncode); + char *oidc_normalize_header_name(const request_rec *r, const char *str); + +-void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue, apr_time_t expires); ++void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue, apr_time_t expires, const char *ext); + char *oidc_util_get_cookie(request_rec *r, const char *cookieName); + apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies); + apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies); +diff --git a/src/session.c b/src/session.c +index 6b5f311..28b43d0 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -380,7 +380,7 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) { + + /* set the uuid in the cookie */ + oidc_util_set_cookie(r, d->cookie, key, +- c->persistent_session_cookie ? z->expiry : -1); ++ c->persistent_session_cookie ? z->expiry : -1, NULL); + + /* store the string-encoded session in the cache */ + c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, z->encoded, +@@ -389,7 +389,7 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) { + } else { + + /* clear the cookie */ +- oidc_util_set_cookie(r, d->cookie, "", 0); ++ oidc_util_set_cookie(r, d->cookie, "", 0, NULL); + + /* remove the session from the cache */ + c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, NULL, 0); +@@ -430,7 +430,7 @@ static apr_status_t oidc_session_save_cookie(request_rec *r, session_rec *z) { + } + } + oidc_util_set_cookie(r, d->cookie, cookieValue, +- c->persistent_session_cookie ? z->expiry : -1); ++ c->persistent_session_cookie ? z->expiry : -1, NULL); + + return APR_SUCCESS; + } +diff --git a/src/util.c b/src/util.c +index 472d0cd..6db64ac 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -701,7 +701,7 @@ const char *oidc_util_set_cookie_append_value(request_rec *r, oidc_cfg *c) { + * set a cookie in the HTTP response headers + */ + void oidc_util_set_cookie(request_rec *r, const char *cookieName, +- const char *cookieValue, apr_time_t expires) { ++ const char *cookieValue, apr_time_t expires, const char *ext) { + + oidc_cfg *c = ap_get_module_config(r->server->module_config, + &auth_openidc_module); +@@ -736,6 +736,8 @@ void oidc_util_set_cookie(request_rec *r, const char *cookieName, + if (appendString != NULL) + headerString = apr_psprintf(r->pool, "%s; %s", headerString, + appendString); ++ else if (ext != NULL) ++ headerString = apr_psprintf(r->pool, "%s; %s", headerString, ext); + + /* sanity check on overall cookie value size */ + if (strlen(headerString) > 4093) { +-- +2.26.2 + diff --git a/SOURCES/0010-always-add-a-SameSite-Never-value-to-the-Set-Cookie-.patch b/SOURCES/0010-always-add-a-SameSite-Never-value-to-the-Set-Cookie-.patch new file mode 100644 index 0000000..85271ce --- /dev/null +++ b/SOURCES/0010-always-add-a-SameSite-Never-value-to-the-Set-Cookie-.patch @@ -0,0 +1,97 @@ +From 67ef1419a0a2ff2528eb789d610fe380b870767e Mon Sep 17 00:00:00 2001 +From: Hans Zandbelt +Date: Wed, 29 Jan 2020 13:27:44 +0100 +Subject: [PATCH 10/11] always add a SameSite=Never value to the Set-Cookie + header + +- to satisfy upcoming Chrome/Firefox changes + this can be overridden by using, e.g.: + SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; + +Signed-off-by: Hans Zandbelt +(cherry picked from commit 3b4770f49cc67b9b0ae8732e9908895683ea556c) +--- + ChangeLog | 10 ++++++++++ + src/mod_auth_openidc.c | 6 +++--- + src/mod_auth_openidc.h | 2 ++ + src/session.c | 2 +- + 4 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index b3ed8f3..a7169e4 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,13 @@ ++01/29/2020 ++- always add a SameSite value to the Set-Cookie header to satisfy upcoming Chrome/Firefox changes ++ this can be overridden by using, e.g.: ++ SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; ++- release 2.4.1rc6 ++ ++01/22/2020 ++- URL encode logout url in session management JS; thanks Paolo Battino ++- bump to 2.4.1rc5 ++ + 01/15/2020 + - add value of OIDC_SET_COOKIE_APPEND env var to Set-Cookie headers + useful for handling changing/upcoming SameSite behaviors across different browsers, e.g.: +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 6c86271..a4429a6 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -576,7 +576,7 @@ static apr_byte_t oidc_authorization_request_set_cookie(request_rec *r, + const char *cookieName = oidc_get_state_cookie_name(r, state); + + /* set it as a cookie */ +- oidc_util_set_cookie(r, cookieName, cookieValue, -1, NULL); ++ oidc_util_set_cookie(r, cookieName, cookieValue, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); + + free(s_value); + +@@ -1644,7 +1644,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { + oidc_debug(r, "redirecting to external discovery page: %s", url); + + /* set CSRF cookie */ +- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL); ++ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); + + /* do the actual redirect to an external discovery page */ + apr_table_add(r->headers_out, "Location", url); +@@ -1705,7 +1705,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { + "%s

\n", s); + s = apr_psprintf(r->pool, "%s\n", s); + +- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, NULL); ++ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); + + /* now send the HTML contents to the user agent */ + return oidc_util_html_send(r, "OpenID Connect Provider Discovery", +diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h +index d6c5050..cbace6a 100644 +--- a/src/mod_auth_openidc.h ++++ b/src/mod_auth_openidc.h +@@ -202,6 +202,8 @@ APLOG_USE_MODULE(auth_openidc); + #define OIDC_CACHE_SECTION_ACCESS_TOKEN "access_token" + #define OIDC_CACHE_SECTION_PROVIDER "provider" + ++#define OIDC_COOKIE_EXT_SAME_SITE_NONE "SameSite=None" ++ + typedef enum { + AUTHENTICATE, PASS, RETURN401 + } unauthenticated_action; +diff --git a/src/session.c b/src/session.c +index 28b43d0..a8c5652 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -380,7 +380,7 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) { + + /* set the uuid in the cookie */ + oidc_util_set_cookie(r, d->cookie, key, +- c->persistent_session_cookie ? z->expiry : -1, NULL); ++ c->persistent_session_cookie ? z->expiry : -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); + + /* store the string-encoded session in the cache */ + c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, z->encoded, +-- +2.26.2 + diff --git a/SOURCES/0011-Backport-of-fix-also-add-SameSite-None-to-by-value-s.patch b/SOURCES/0011-Backport-of-fix-also-add-SameSite-None-to-by-value-s.patch new file mode 100644 index 0000000..b1df545 --- /dev/null +++ b/SOURCES/0011-Backport-of-fix-also-add-SameSite-None-to-by-value-s.patch @@ -0,0 +1,26 @@ +From b262f0f98915729ed3f9903652e849f6d3fb5afb Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 26 Aug 2020 12:42:21 +0200 +Subject: [PATCH 11/11] Backport of fix: also add SameSite=None to by-value + session cookies + +--- + src/session.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/session.c b/src/session.c +index a8c5652..7e7e2ac 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -430,7 +430,7 @@ static apr_status_t oidc_session_save_cookie(request_rec *r, session_rec *z) { + } + } + oidc_util_set_cookie(r, d->cookie, cookieValue, +- c->persistent_session_cookie ? z->expiry : -1, NULL); ++ c->persistent_session_cookie ? z->expiry : -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); + + return APR_SUCCESS; + } +-- +2.26.2 + diff --git a/SOURCES/0012-Only-set-Same-Site-None-if-an-option-is-set.patch b/SOURCES/0012-Only-set-Same-Site-None-if-an-option-is-set.patch new file mode 100644 index 0000000..3d6a584 --- /dev/null +++ b/SOURCES/0012-Only-set-Same-Site-None-if-an-option-is-set.patch @@ -0,0 +1,174 @@ +From db7d4ffb3bf3b0830da7f0662682cac8da437685 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 26 Aug 2020 14:52:17 +0200 +Subject: [PATCH] Only set Same-Site=None if an option is set + +--- + auth_openidc.conf | 5 +++++ + src/config.c | 11 +++++++++++ + src/mod_auth_openidc.c | 6 +++--- + src/mod_auth_openidc.h | 2 ++ + src/session.c | 6 ++++-- + src/util.c | 12 ++++++++++++ + 6 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/auth_openidc.conf b/auth_openidc.conf +index 056b2e4..87ae552 100644 +--- a/auth_openidc.conf ++++ b/auth_openidc.conf +@@ -514,6 +514,11 @@ + # When not defined the default is "mod_auth_openidc_session". + #OIDCCookie + ++# Defines whether the SameSite flag will be set to None on the session cookie. ++# When On, the session cookie will have SameSite=None set. ++# When not defined the default is Off. ++#OIDCCookieSameSiteNone [On|Off] ++ + # (Optional) + # Defines whether the HttpOnly flag will be set on cookies. + # When not defined the default is On. +diff --git a/src/config.c b/src/config.c +index 999d4ee..2cdc5ed 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -85,6 +85,8 @@ + #define OIDC_DEFAULT_OAUTH_CLAIM_REMOTE_USER "sub" + /* default name of the session cookie */ + #define OIDC_DEFAULT_COOKIE "mod_auth_openidc_session" ++/* set Same-Site=None flag on session cookie */ ++#define OIDC_DEFAULT_COOKIE_SAME_SITE_NONE 0 + /* default for the HTTP header name in which the remote user name is passed */ + #define OIDC_DEFAULT_AUTHN_HEADER NULL + /* scrub HTTP headers by default unless overridden (and insecure) */ +@@ -1050,6 +1052,7 @@ void *oidc_create_server_config(apr_pool_t *pool, server_rec *svr) { + c->remote_user_claim.reg_exp = NULL; + c->pass_idtoken_as = OIDC_PASS_IDTOKEN_AS_CLAIMS; + c->cookie_http_only = OIDC_DEFAULT_COOKIE_HTTPONLY; ++ c->cookie_same_site_none = OIDC_DEFAULT_COOKIE_SAME_SITE_NONE; + + c->outgoing_proxy = NULL; + c->crypto_passphrase = NULL; +@@ -1373,6 +1376,9 @@ void *oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) { + c->cookie_http_only = + add->cookie_http_only != OIDC_DEFAULT_COOKIE_HTTPONLY ? + add->cookie_http_only : base->cookie_http_only; ++ c->cookie_same_site_none = ++ add->cookie_same_site_none != OIDC_DEFAULT_COOKIE_SAME_SITE_NONE ? ++ add->cookie_same_site_none : base->cookie_same_site_none; + + c->outgoing_proxy = + add->outgoing_proxy != NULL ? +@@ -2029,6 +2035,11 @@ const command_rec oidc_config_cmds[] = { + (void *) APR_OFFSETOF(oidc_cfg, cookie_http_only), + RSRC_CONF, + "Defines whether or not the cookie httponly flag is set on cookies."), ++ AP_INIT_FLAG("OIDCCookieSameSiteNone", ++ oidc_set_flag_slot, ++ (void *) APR_OFFSETOF(oidc_cfg, cookie_same_site_none), ++ RSRC_CONF, ++ "Defines whether or not the cookie Same-Site flag is set to None on session cookies."), + AP_INIT_TAKE1("OIDCOutgoingProxy", + oidc_set_string_slot, + (void*)APR_OFFSETOF(oidc_cfg, outgoing_proxy), +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index a4429a6..efae0f3 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -576,7 +576,7 @@ static apr_byte_t oidc_authorization_request_set_cookie(request_rec *r, + const char *cookieName = oidc_get_state_cookie_name(r, state); + + /* set it as a cookie */ +- oidc_util_set_cookie(r, cookieName, cookieValue, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); ++ oidc_util_set_cookie(r, cookieName, cookieValue, -1, oidc_util_cookie_ext_value(c)); + + free(s_value); + +@@ -1644,7 +1644,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { + oidc_debug(r, "redirecting to external discovery page: %s", url); + + /* set CSRF cookie */ +- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); ++ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, oidc_util_cookie_ext_value(cfg)); + + /* do the actual redirect to an external discovery page */ + apr_table_add(r->headers_out, "Location", url); +@@ -1705,7 +1705,7 @@ static int oidc_discovery(request_rec *r, oidc_cfg *cfg) { + "%s

\n", s); + s = apr_psprintf(r->pool, "%s\n", s); + +- oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); ++ oidc_util_set_cookie(r, OIDC_CSRF_NAME, csrf, -1, oidc_util_cookie_ext_value(cfg)); + + /* now send the HTML contents to the user agent */ + return oidc_util_html_send(r, "OpenID Connect Provider Discovery", +diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h +index cbace6a..546185c 100644 +--- a/src/mod_auth_openidc.h ++++ b/src/mod_auth_openidc.h +@@ -342,6 +342,7 @@ typedef struct oidc_cfg { + oidc_remote_user_claim_t remote_user_claim; + int pass_idtoken_as; + int cookie_http_only; ++ int cookie_same_site_none; + + char *outgoing_proxy; + +@@ -437,6 +438,7 @@ char *oidc_normalize_header_name(const request_rec *r, const char *str); + + void oidc_util_set_cookie(request_rec *r, const char *cookieName, const char *cookieValue, apr_time_t expires, const char *ext); + char *oidc_util_get_cookie(request_rec *r, const char *cookieName); ++const char *oidc_util_cookie_ext_value(oidc_cfg *c); + apr_byte_t oidc_util_http_get(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies); + apr_byte_t oidc_util_http_post_form(request_rec *r, const char *url, const apr_table_t *params, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies); + apr_byte_t oidc_util_http_post_json(request_rec *r, const char *url, const json_t *data, const char *basic_auth, const char *bearer_token, int ssl_validate_server, const char **response, int timeout, const char *outgoing_proxy, apr_array_header_t *pass_cookies); +diff --git a/src/session.c b/src/session.c +index 7e7e2ac..f749f40 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -380,7 +380,8 @@ static apr_status_t oidc_session_save_cache(request_rec *r, session_rec *z) { + + /* set the uuid in the cookie */ + oidc_util_set_cookie(r, d->cookie, key, +- c->persistent_session_cookie ? z->expiry : -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); ++ c->persistent_session_cookie ? z->expiry : -1, ++ oidc_util_cookie_ext_value(c)); + + /* store the string-encoded session in the cache */ + c->cache->set(r, OIDC_CACHE_SECTION_SESSION, key, z->encoded, +@@ -430,7 +431,8 @@ static apr_status_t oidc_session_save_cookie(request_rec *r, session_rec *z) { + } + } + oidc_util_set_cookie(r, d->cookie, cookieValue, +- c->persistent_session_cookie ? z->expiry : -1, OIDC_COOKIE_EXT_SAME_SITE_NONE); ++ c->persistent_session_cookie ? z->expiry : -1, ++ oidc_util_cookie_ext_value(c)); + + return APR_SUCCESS; + } +diff --git a/src/util.c b/src/util.c +index 6db64ac..963586a 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -697,6 +697,18 @@ const char *oidc_util_set_cookie_append_value(request_rec *r, oidc_cfg *c) { + return env_var_value; + } + ++const char *oidc_util_cookie_ext_value(oidc_cfg *c) { ++ if (c == NULL) { ++ return NULL; ++ } ++ ++ if (c->cookie_same_site_none == 0) { ++ return NULL; ++ } ++ ++ return OIDC_COOKIE_EXT_SAME_SITE_NONE; ++} ++ + /* + * set a cookie in the HTTP response headers + */ +-- +2.26.2 + diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec index 6e1f543..8bddcd1 100644 --- a/SPECS/mod_auth_openidc.spec +++ b/SPECS/mod_auth_openidc.spec @@ -15,7 +15,7 @@ Name: mod_auth_openidc Version: 1.8.8 -Release: 7%{?dist} +Release: 9%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server Group: System Environment/Daemons @@ -32,6 +32,14 @@ Patch5: 0005-Backport-of-Fix-open-redirect-starting-with-a-slash.patch Patch6: 0006-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch Patch7: 0007-Fix-the-previous-backports.patch +# BZ1823762 - Backport SameSite=None cookie from mod_auth_openidc upstream +# to support latest browsers [rhel-7.9.z] +Patch8: 0008-add-value-of-OIDC_SET_COOKIE_APPEND-env-var-to-Set-C.patch +Patch9: 0009-Backport-setting-an-extra-cookie-parameter.patch +Patch10: 0010-always-add-a-SameSite-Never-value-to-the-Set-Cookie-.patch +Patch11: 0011-Backport-of-fix-also-add-SameSite-None-to-by-value-s.patch +Patch12: 0012-Only-set-Same-Site-None-if-an-option-is-set.patch + BuildRequires: httpd-devel BuildRequires: openssl-devel BuildRequires: curl-devel @@ -56,6 +64,11 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %patch5 -p1 -b logout_slash %patch6 -p1 -b logout_backslash %patch7 -p1 -b logout_regression +%patch8 -p1 -b cookie_env_append +%patch9 -p1 -b cookie_ext_value +%patch10 -p1 -b same_site_none +%patch11 -p1 -b same_site_none_fix +%patch12 -p1 -b same_site_none_opt %build # workaround rpm-buildroot-usage @@ -107,6 +120,17 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Thu Oct 8 2020 Jakub Hrozek - 1.8.8-9 +- Rebuild to pick up the proper build tag +- Related: rhbz#1823762 - Backport SameSite=None cookie from + mod_auth_openidc upstream to support + latest browsers [rhel-7.9.z] + +* Wed Aug 26 2020 Jakub Hrozek - 1.8.8-8 +- Resolves: rhbz#1823762 - Backport SameSite=None cookie from + mod_auth_openidc upstream to support + latest browsers [rhel-7.9.z] + * Mon Mar 16 2020 Jakub Hrozek - 1.8.8-7 - Fix a regression in the previous patches - Related: rhbz#1805748 - CVE-2019-20479 mod_auth_openidc: open redirect