From fd30c4c70c227828874d720ce17f0bc6be293bc8 Mon Sep 17 00:00:00 2001 From: Hans Zandbelt Date: Wed, 25 Oct 2023 10:12:06 +0200 Subject: [PATCH] add backwards compatibility to allow parallel refresh token requests using envvar OIDC_PARALLEL_REFRESH_ALLOWED Signed-off-by: Hans Zandbelt --- ChangeLog | 1 + src/mod_auth_openidc.c | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 83f5c837..411c528d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 10/25/2023 - do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected see https://github.com/OpenIDC/mod_auth_openidc/discussions/1132; thanks @esunke +- add backwards compatibility option to allow parallel refresh token requests using envvar OIDC_PARALLEL_REFRESH_ALLOWED - bump to 2.4.14.5rc0 10/12/2023 diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c index 962b4797..00743a20 100644 --- a/src/mod_auth_openidc.c +++ b/src/mod_auth_openidc.c @@ -1058,6 +1058,8 @@ static void oidc_store_userinfo_claims(request_rec *r, oidc_cfg *c, #define OIDC_REFRESH_ERROR_GENERAL 2 #define OIDC_REFRESH_ERROR_PARALLEL_REFRESH 3 +#define OIDC_PARALLEL_REFRESH_ALLOWED_ENVVAR "OIDC_PARALLEL_REFRESH_ALLOWED" + /* * execute refresh token grant to refresh the existing access token */ @@ -1094,8 +1096,11 @@ static apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg *c, if (value != NULL) { oidc_warn(r, "refresh token routine called but existing parallel refresh is in progress"); - *error_code = OIDC_REFRESH_ERROR_PARALLEL_REFRESH; - goto end; + if (apr_table_get(r->subprocess_env, + OIDC_PARALLEL_REFRESH_ALLOWED_ENVVAR) == NULL) { + *error_code = OIDC_REFRESH_ERROR_PARALLEL_REFRESH; + goto end; + } } // "lock" the refresh token best effort; this does not work failsafe in a clustered setup... oidc_cache_set_refresh_token(r, refresh_token, refresh_token,