do not send state timeout HTML document when OIDCDefaultURL is set

- this can be overridden by using e.g.: SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true - release 2.4.8.4 Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
OpenIDC · Jun 2, 2021 · 3f7f3fe · 3f7f3fe
1 parent 2def2c4
commit 3f7f3fe
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 18 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+06/02/2021
+- do not send state timeout HTML document when OIDCDefaultURL is set; this can be overridden by using e.g.:
+  SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true 
+- release 2.4.8.4
+
 06/01/2021
 - avoid Apache 2.4 appending 400/302(200/404) HTML document text to state timeout HTML info page
   see also f5959d767b0eec4856d561cbaa6d2262a52da551 and #484; at least Debian Buster was affected

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.8.3],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_auth_openidc],[2.4.8.4],[hans.zandbelt@zmartzone.eu])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -688,24 +688,17 @@ static apr_byte_t oidc_restore_proto_state(request_rec *r, oidc_cfg *c,
 	/* check that the timestamp is not beyond the valid interval */
 	if (apr_time_now() > ts + apr_time_from_sec(c->state_timeout)) {
 		oidc_error(r, "state has expired");
-		/*
-		 * note that this overrides redirection to the OIDCDefaultURL as done later...
-		 * see: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/mod_auth_openidc/L4JFBw-XCNU/BWi2Fmk2AwAJ
-		 */
-		oidc_util_html_send_error(r, c->error_template,
-				"Invalid Authentication Response",
-				apr_psprintf(r->pool,
-						"This is due to a timeout; please restart your authentication session by re-entering the URL/bookmark you originally wanted to access: %s",
-						oidc_proto_state_get_original_url(*proto_state)),
-						OK);
+		if ((c->default_sso_url == NULL)
+				|| (apr_table_get(r->subprocess_env, "OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT") != NULL)) {
+			oidc_util_html_send_error(r, c->error_template, "Invalid Authentication Response", apr_psprintf(r->pool, "This is due to a timeout; please restart your authentication session by re-entering the URL/bookmark you originally wanted to access: %s", oidc_proto_state_get_original_url(*proto_state)),
+									  OK);
+			/*
+			 * a hack for Apache 2.4 to prevent it from writing its own 500/400/302 HTML document
+			 * text by making ap_send_error_response in http_protocol.c return early...
+			 */
+			r->header_only = 1;
+		}
 		oidc_proto_state_destroy(*proto_state);
-
-		/*
-		 * a hack for Apache 2.4 to prevent it from writing its own 500/400/302 HTML document
-		 * text by making ap_send_error_response in http_protocol.c return early...
-		 */
-		r->header_only = 1;
-
 		return FALSE;
 	}
 
@@ -1919,6 +1912,7 @@ static int oidc_handle_authorization_response(request_rec *r, oidc_cfg *c,
 					"invalid authorization response state; a default SSO URL is set, sending the user there: %s",
 					c->default_sso_url);
 			oidc_util_hdr_out_location_set(r, c->default_sso_url);
+			//oidc_util_hdr_err_out_add(r, "Location", c->default_sso_url));
 			return HTTP_MOVED_TEMPORARILY;
 		}
 		oidc_error(r,