zandbelt
commented
8 years ago good catch; please confirm that the latest commit works for you
Closed A-Joshi closed 8 years ago
zandbelt
commented
8 years ago good catch; please confirm that the latest commit works for you
A-Joshi
commented
8 years ago Hello,
Thank you for the fast turnaround.
Will try it out - have to build it - probably be a day or to - unfortunately I don't have a Centos7 build environment handy!
Regards,
Amit Joshi
On 02/26/2016 01:01 PM, Hans Zandbelt wrote:
good catch; please confirm that the latest commit works for you
— Reply to this email directly or view it on GitHub https://github.com/pingidentity/mod_auth_openidc/issues/120#issuecomment-189398655.
zandbelt
commented
8 years ago A-Joshi
commented
8 years ago Hello,
Thank you - will try it out and let you know.
Regards,
Amit Joshi
On 02/26/2016 02:22 PM, Hans Zandbelt wrote:
I built one here: https://mod-auth-openidc.org/downloads/mod_auth_openidc-1.8.8rc5-1.el7.centos.x86_64.rpm
— Reply to this email directly or view it on GitHub https://github.com/pingidentity/mod_auth_openidc/issues/120#issuecomment-189440394.
zandbelt
commented
8 years ago any update on this one?
A-Joshi
commented
8 years ago Helllo,
I have been outsick for the past week will check as soon as I can.
Regards,
Amit Joshi
On 03/06/2016 02:43 PM, Hans Zandbelt wrote:
any update on this one?
— Reply to this email directly or view it on GitHub https://github.com/pingidentity/mod_auth_openidc/issues/120#issuecomment-192972005.
A-Joshi
commented
8 years ago Hello,
Sorry about the delay in getting back - was out sick for too long.
Happy to report that the fix works.
Regards,
Amit Joshi
On 03/10/2016 03:23 PM, Hans Zandbelt wrote:
Closed #120 https://github.com/pingidentity/mod_auth_openidc/issues/120.
— Reply to this email directly or view it on GitHub https://github.com/pingidentity/mod_auth_openidc/issues/120#event-585450650.
zandbelt
commented
8 years ago thanks!
DavidOfDoncaster
commented
8 years ago Hey Hans, I still see this error in version 1.8.8 with Apache 2.2. The module is only looking for the claims from the userinfo endpoint and nothing from the token. I will attempt to test Apache 2.4.
Edit: Confirmed issue with 1.8.8 and Apache 2.2
There are two code paths in the code for checking the configured "Require claim xxx:yyy" against the claims sent in. It appears in the pre 2.4 path the claims from the id_token and claims are merged into a single list before checking while in the 2. and later path if claims are present then only those are checked and nothing from the id token. This can be seen by adding something like:
Require claim iss:https://ping.domain.com
This will work on a pre-2.4 apache but not on a later one. I suspect it is the merge code called around lines 2480 in mod_auth_openidc.c is not present in the similar function just above for the 2. and later path. The lines seem to have been added around 5/31/2015.
Not sure if the fix is to have the same couple of lines added to the earlier function.