allow adding parameters to a Logout Request with OIDCLogoutRequestParams

see: #1096
bump to 2.4.14.3rc7

Signed-off-by: Hans Zandbelt <[email protected]>

ChangeLog

@@ -1,3 +1,8 @@
+08/25/2023
+- add support for adding extra parameters to the Logout Request to the OP with OIDCLogoutRequestParams
+  see: https://github.com/OpenIDC/mod_auth_openidc/discussions/1096
+- bump to 2.4.14.3rc7
+
 08/13/2023
 - increase performance of JQ filtering by caching JQ filtering results
   default cache ttl is 10 min, configured through environment variable OIDC_JQ_FILTER_CACHE_TTL

auth_openidc.conf

@@ -120,6 +120,13 @@
 # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
 #OIDCProviderEndSessionEndpoint <url>
 
+# Extra parameters that will be sent along with the Logout Request.
+# These must be URL-query-encoded as in: "client_id=myclient&prompt=none".
+# This is used against a statically configured (single) OP or serves as the default for discovered OPs.
+# The default is to not add extra parameters.
+# NB: this can be overridden on a per-OP basis in the .conf file using the key: logout_request_params
+#OIDCLogoutRequestParams <query-encoded-string>
+
 # The RFC 7009 Token Revocation Endpoint URL.
 # When defined, the refresh token and access token stored in an OIDC session will be revoked on logout.
 # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.14.3rc6],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.14.3rc7],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/config.c

@@ -204,6 +204,7 @@
 #define OIDCIDTokenIatSlack                    "OIDCIDTokenIatSlack"
 #define OIDCSessionMaxDuration                 "OIDCSessionMaxDuration"
 #define OIDCAuthRequestParams                  "OIDCAuthRequestParams"
+#define OIDCLogoutRequestParams                "OIDCLogoutRequestParams"
 #define OIDCPathAuthRequestParams              "OIDCPathAuthRequestParams"
 #define OIDCPKCEMethod                         "OIDCPKCEMethod"
 #define OIDCClientID                           "OIDCClientID"
@@ -1485,6 +1486,7 @@ static void oidc_cfg_provider_init(oidc_provider_t *provider) {
 	provider->idtoken_iat_slack = OIDC_DEFAULT_IDTOKEN_IAT_SLACK;
 	provider->session_max_duration = OIDC_DEFAULT_SESSION_MAX_DURATION;
 	provider->auth_request_params = NULL;
+	provider->logout_request_params = NULL;
 	provider->pkce = NULL;
 
 	provider->client_jwks_uri = NULL;
@@ -1619,6 +1621,9 @@ static void oidc_merge_provider_config(apr_pool_t *pool, oidc_provider_t *dst,
 	dst->auth_request_params =
 			add->auth_request_params != NULL ?
 					add->auth_request_params : base->auth_request_params;
+	dst->logout_request_params =
+			add->logout_request_params != NULL ?
+					add->logout_request_params : base->logout_request_params;
 	dst->pkce = add->pkce != NULL ? add->pkce : base->pkce;
 
 	dst->client_jwks_uri =
@@ -3271,6 +3276,11 @@ const command_rec oidc_config_cmds[] = {
 				(void*)APR_OFFSETOF(oidc_cfg, provider.auth_request_params),
 				RSRC_CONF,
 				"Extra parameters that need to be sent in the Authorization Request (must be query-encoded like \"display=popup&prompt=consent\"."),
+		AP_INIT_TAKE1(OIDCLogoutRequestParams,
+				oidc_set_string_slot,
+				(void*)APR_OFFSETOF(oidc_cfg, provider.logout_request_params),
+				RSRC_CONF,
+				"Extra parameters that need to be sent in the Logout Request (must be query-encoded like \"client_id=myclient&prompt=none\"."),
 		AP_INIT_TAKE1(OIDCPathAuthRequestParams,
 				oidc_set_path_auth_request_params,
 				(void*)APR_OFFSETOF(oidc_dir_cfg, path_auth_request_expr),

src/metadata.c

@@ -100,6 +100,7 @@ extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
 #define OIDC_METADATA_IDTOKEN_IAT_SLACK                            "idtoken_iat_slack"
 #define OIDC_METADATA_SESSION_MAX_DURATION                         "session_max_duration"
 #define OIDC_METADATA_AUTH_REQUEST_PARAMS                          "auth_request_params"
+#define OIDC_METADATA_LOGOUT_REQUEST_PARAMS                        "logout_request_params"
 #define OIDC_METADATA_TOKEN_ENDPOINT_PARAMS                        "token_endpoint_params"
 #define OIDC_METADATA_RESPONSE_MODE                                "response_mode"
 #define OIDC_METADATA_PKCE_METHOD                                  "pkce_method"
@@ -1330,6 +1331,10 @@ apr_byte_t oidc_metadata_conf_parse(request_rec *r, oidc_cfg *cfg,
 	oidc_json_object_get_string(r->pool, j_conf,
 			OIDC_METADATA_AUTH_REQUEST_PARAMS, &provider->auth_request_params,
 			cfg->provider.auth_request_params);
+	/* see if we've got custom logout request parameter values */
+	oidc_json_object_get_string(r->pool, j_conf,
+			OIDC_METADATA_LOGOUT_REQUEST_PARAMS, &provider->logout_request_params,
+			cfg->provider.logout_request_params);
 
 	/* see if we've got custom token endpoint parameter values */
 	oidc_json_object_get_string(r->pool, j_conf,

src/mod_auth_openidc.c

@@ -3416,7 +3416,7 @@ static int oidc_handle_logout_backchannel(request_rec *r, oidc_cfg *cfg) {
 /*
  * perform (single) logout
  */
-static int oidc_handle_logout(request_rec *r, oidc_cfg *c,
+int oidc_handle_logout(request_rec *r, oidc_cfg *c,
 		oidc_session_t *session) {
 
 	oidc_provider_t *provider = NULL;
@@ -3485,6 +3485,15 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg *c,
 									OIDC_STR_QUERY,
 									oidc_util_escape_string(r, url));
 		}
+
+		if (provider->logout_request_params != NULL) {
+			s_logout_request = apr_psprintf(r->pool, "%s%s%s", s_logout_request,
+					strchr(s_logout_request ? s_logout_request : "",
+							OIDC_CHAR_QUERY) != NULL ?
+									OIDC_STR_AMP :
+									OIDC_STR_QUERY,
+									provider->logout_request_params);
+		}
 		//char *state = NULL;
 		//oidc_proto_generate_nonce(r, &state, 8);
 		//url = apr_psprintf(r->pool, "%s&state=%s", logout_request, state);

src/mod_auth_openidc.h

@@ -331,6 +331,7 @@ typedef struct oidc_provider_t {
 	char *response_mode;
 	int idtoken_iat_slack;
 	char *auth_request_params;
+	char *logout_request_params;
 	int session_max_duration;
 	oidc_proto_pkce_t *pkce;
 	int userinfo_refresh_interval;
@@ -968,6 +969,8 @@ apr_byte_t oidc_session_extract(request_rec *r, oidc_session_t *z);
 apr_byte_t oidc_session_load_cache_by_uuid(request_rec *r, oidc_cfg *c, const char *uuid, oidc_session_t *z);
 void oidc_session_id_new(request_rec *r, oidc_session_t *z);
 
+int oidc_handle_logout(request_rec *r, oidc_cfg *c, oidc_session_t *session);
+
 void oidc_session_set_userinfo_jwt(request_rec *r, oidc_session_t *z, const char *userinfo_jwt);
 const char * oidc_session_get_userinfo_jwt(request_rec *r, oidc_session_t *z);
 void oidc_session_set_userinfo_claims(request_rec *r, oidc_session_t *z, const char *claims);

test/test.c

@@ -1189,6 +1189,29 @@ static char * test_proto_authorization_request(request_rec *r) {
 	return 0;
 }
 
+static char* test_logout_request(request_rec *r) {
+
+	oidc_cfg *c = ap_get_module_config(r->server->module_config,
+			&auth_openidc_module);
+	oidc_session_t *session = NULL;
+
+	oidc_session_load(r, &session);
+	oidc_session_set_issuer(r, session, c->provider.issuer);
+
+	c->provider.end_session_endpoint = "https://idp.example.com/endsession";
+	c->provider.logout_request_params = "client_id=myclient&foo=bar";
+
+	r->args = "logout=https%3A%2F%2Fwww.example.com%2Floggedout";
+
+	TST_ASSERT("oidc_handle_logout (1)",
+			oidc_handle_logout(r, c, session) == HTTP_MOVED_TEMPORARILY);
+	TST_ASSERT_STR("oidc_handle_logout (2)",
+			apr_table_get(r->headers_out, "Location"),
+			"https://idp.example.com/endsession?post_logout_redirect_uri=https%3A%2F%2Fwww.example.com%2Floggedout&client_id=myclient&foo=bar");
+
+	return 0;
+}
+
 static char * test_proto_validate_nonce(request_rec *r) {
 
 	oidc_cfg *c = ap_get_module_config(r->server->module_config,
@@ -1874,6 +1897,8 @@ static char * all_tests(apr_pool_t *pool, request_rec *r) {
 	TST_RUN(test_authz_worker, r);
 #endif
 
+	TST_RUN(test_logout_request, r);
+
 	return 0;
 }
 
@@ -1886,6 +1911,7 @@ static request_rec * test_setup(apr_pool_t *pool) {
 			sizeof(request_rec));
 
 	request->pool = pool;
+	request->subprocess_env = apr_table_make(request->pool, 0);
 
 	request->headers_in = apr_table_make(request->pool, 0);
 	request->headers_out = apr_table_make(request->pool, 0);