summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorolavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53>2013-03-06 12:54:14 +0000
committerolavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53>2013-03-06 12:54:14 +0000
commit07f7c37ccabff79ab7e3ae3021baf7f301ee232a (patch)
tree009a5c3abeec97f91edb3792a0d390da072f69e3
parentf01342d019c84b093e953b3aeddfdc6c78dc95a9 (diff)
downloadmod_auth_mellon-07f7c37ccabff79ab7e3ae3021baf7f301ee232a.zip
mod_auth_mellon-07f7c37ccabff79ab7e3ae3021baf7f301ee232a.tar.gz
mod_auth_mellon-07f7c37ccabff79ab7e3ae3021baf7f301ee232a.tar.xz
Use discovery service with "login" endpoint.
Accessing the "login"-endpoint with multiple IdPs configured would bypass the discovery service. This patch changes the behaviour so that we send a discovery service request instead. This breaks backwardscompatibility slightly, but hopefully it should not be a problem. This fixes issue 13: https://code.google.com/p/modmellon/issues/detail?id=13 git-svn-id: https://modmellon.googlecode.com/svn/trunk@186 a716ebb1-153a-0410-b759-cfb97c6a1b53
-rw-r--r--auth_mellon_handler.c20
1 files changed, 16 insertions, 4 deletions
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index dfaa3b2..525f712 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -2762,6 +2762,7 @@ static int am_handle_auth(request_rec *r)
*/
static int am_handle_login(request_rec *r)
{
+ am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
char *idp_param;
const char *idp;
char *return_to;
@@ -2791,10 +2792,6 @@ static int am_handle_login(request_rec *r)
"Error urldecoding IdP parameter.");
return ret;
}
- idp = idp_param;
- } else {
- /* Use the default IdP. */
- idp = am_get_idp(r);
}
is_passive_str = am_extract_query_parameter(r->pool, r->args, "IsPassive");
@@ -2818,6 +2815,21 @@ static int am_handle_login(request_rec *r)
is_passive = FALSE;
}
+ if(idp_param != NULL) {
+ idp = idp_param;
+ } else if(cfg->discovery_url) {
+ if(is_passive) {
+ /* We cannot currently do discovery with passive authentication requests. */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Discovery service with passive authentication request unsupported.");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ return am_start_disco(r, return_to);
+ } else {
+ /* No discovery service -- just use the default IdP. */
+ idp = am_get_idp(r);
+ }
+
return am_send_authn_request(r, idp, return_to, is_passive);
}