From 07f7c37ccabff79ab7e3ae3021baf7f301ee232a Mon Sep 17 00:00:00 2001 From: olavmrk Date: Wed, 6 Mar 2013 12:54:14 +0000 Subject: Use discovery service with "login" endpoint. Accessing the "login"-endpoint with multiple IdPs configured would bypass the discovery service. This patch changes the behaviour so that we send a discovery service request instead. This breaks backwardscompatibility slightly, but hopefully it should not be a problem. This fixes issue 13: https://code.google.com/p/modmellon/issues/detail?id=13 git-svn-id: https://modmellon.googlecode.com/svn/trunk@186 a716ebb1-153a-0410-b759-cfb97c6a1b53 --- auth_mellon_handler.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index dfaa3b2..525f712 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -2762,6 +2762,7 @@ static int am_handle_auth(request_rec *r) */ static int am_handle_login(request_rec *r) { + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); char *idp_param; const char *idp; char *return_to; @@ -2791,10 +2792,6 @@ static int am_handle_login(request_rec *r) "Error urldecoding IdP parameter."); return ret; } - idp = idp_param; - } else { - /* Use the default IdP. */ - idp = am_get_idp(r); } is_passive_str = am_extract_query_parameter(r->pool, r->args, "IsPassive"); @@ -2818,6 +2815,21 @@ static int am_handle_login(request_rec *r) is_passive = FALSE; } + if(idp_param != NULL) { + idp = idp_param; + } else if(cfg->discovery_url) { + if(is_passive) { + /* We cannot currently do discovery with passive authentication requests. */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Discovery service with passive authentication request unsupported."); + return HTTP_INTERNAL_SERVER_ERROR; + } + return am_start_disco(r, return_to); + } else { + /* No discovery service -- just use the default IdP. */ + idp = am_get_idp(r); + } + return am_send_authn_request(r, idp, return_to, is_passive); } -- cgit