Use discovery service with "login" endpoint.

Accessing the "login"-endpoint with multiple IdPs configured would
bypass the discovery service. This patch changes the behaviour so
that we send a discovery service request instead.

This breaks backwardscompatibility slightly, but hopefully it should
not be a problem.

This fixes issue 13: https://code.google.com/p/modmellon/issues/detail?id=13

git-svn-id: https://modmellon.googlecode.com/svn/trunk@186 a716ebb1-153a-0410-b759-cfb97c6a1b53

1 files changed, 16 insertions, 4 deletions

diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index dfaa3b2..525f712 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -2762,6 +2762,7 @@ static int am_handle_auth(request_rec *r)
  */
 static int am_handle_login(request_rec *r)
 {
+    am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
     char *idp_param;
     const char *idp;
     char *return_to;
@@ -2791,10 +2792,6 @@ static int am_handle_login(request_rec *r)
                           "Error urldecoding IdP parameter.");
             return ret;
         }
-        idp = idp_param;
-    } else {
-        /* Use the default IdP. */
-        idp = am_get_idp(r);
     }
 
     is_passive_str = am_extract_query_parameter(r->pool, r->args, "IsPassive");
@@ -2818,6 +2815,21 @@ static int am_handle_login(request_rec *r)
         is_passive = FALSE;
     }
 
+    if(idp_param != NULL) {
+        idp = idp_param;
+    } else if(cfg->discovery_url) {
+        if(is_passive) {
+            /* We cannot currently do discovery with passive authentication requests. */
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                          "Discovery service with passive authentication request unsupported.");
+            return HTTP_INTERNAL_SERVER_ERROR;
+        }
+        return am_start_disco(r, return_to);
+    } else {
+        /* No discovery service -- just use the default IdP. */
+        idp = am_get_idp(r);
+    }
+
     return am_send_authn_request(r, idp, return_to, is_passive);
 }