Use discovery service with "login" endpoint.
Accessing the "login"-endpoint with multiple IdPs configured would bypass the discovery service. This patch changes the behaviour so that we send a discovery service request instead. This breaks backwardscompatibility slightly, but hopefully it should not be a problem. This fixes issue 13: https://code.google.com/p/modmellon/issues/detail?id=13 git-svn-id: https://modmellon.googlecode.com/svn/trunk@186 a716ebb1-153a-0410-b759-cfb97c6a1b53
This commit is contained in:
parent
f01342d019
commit
07f7c37cca
|
@ -2762,6 +2762,7 @@ static int am_handle_auth(request_rec *r)
|
|||
*/
|
||||
static int am_handle_login(request_rec *r)
|
||||
{
|
||||
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
|
||||
char *idp_param;
|
||||
const char *idp;
|
||||
char *return_to;
|
||||
|
@ -2791,10 +2792,6 @@ static int am_handle_login(request_rec *r)
|
|||
"Error urldecoding IdP parameter.");
|
||||
return ret;
|
||||
}
|
||||
idp = idp_param;
|
||||
} else {
|
||||
/* Use the default IdP. */
|
||||
idp = am_get_idp(r);
|
||||
}
|
||||
|
||||
is_passive_str = am_extract_query_parameter(r->pool, r->args, "IsPassive");
|
||||
|
@ -2818,6 +2815,21 @@ static int am_handle_login(request_rec *r)
|
|||
is_passive = FALSE;
|
||||
}
|
||||
|
||||
if(idp_param != NULL) {
|
||||
idp = idp_param;
|
||||
} else if(cfg->discovery_url) {
|
||||
if(is_passive) {
|
||||
/* We cannot currently do discovery with passive authentication requests. */
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
||||
"Discovery service with passive authentication request unsupported.");
|
||||
return HTTP_INTERNAL_SERVER_ERROR;
|
||||
}
|
||||
return am_start_disco(r, return_to);
|
||||
} else {
|
||||
/* No discovery service -- just use the default IdP. */
|
||||
idp = am_get_idp(r);
|
||||
}
|
||||
|
||||
return am_send_authn_request(r, idp, return_to, is_passive);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue