release 3.2.2: depend on liboauth2 1.4.2.1

- with fixed iat slack validation defaults
- set WWW-Authenticate environment variable to allow for complex Require
logic; see
  OpenIDC/mod_auth_openidc#572

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>

Author: zandbelt

.gitignore

@@ -17,3 +17,6 @@
 /.settings/
 /.libs/
 /mod_oauth2.la
+/config.guess~
+/config.sub~
+/configure~

ChangeLog

@@ -1,3 +1,9 @@
+06/07/2021
+- depend on liboauth2 1.4.2.1 with fixed iat slack validation defaults
+- set WWW-Authenticate environment variable to allow for complex Require logic; see 
+  https://github.com/zmartzone/mod_auth_openidc/discussions/572
+- release 3.2.2
+
 02/01/2021
 - depend on liboauth2 1.4.1 with support for RFC 8705 mTLS Client Certificate bound access tokens
 - release 3.2.1

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_oauth2],[3.2.1],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_oauth2],[3.2.2],[hans.zandbelt@zmartzone.eu])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -32,11 +32,11 @@ PKG_CHECK_MODULES(APR, [apr-1, apr-util-1])
 AC_SUBST(APR_CFLAGS)
 AC_SUBST(APR_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.1])
+PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.2.1])
 AC_SUBST(OAUTH2_CFLAGS)
 AC_SUBST(OAUTH2_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.1])
+PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.2.1])
 AC_SUBST(OAUTH2_APACHE_CFLAGS)
 AC_SUBST(OAUTH2_APACHE_LIBS)
 

src/mod_oauth2.c

@@ -192,6 +192,8 @@ static int oauth2_check_user_id_handler(request_rec *r)
 	return DECLINED;
 }
 
+#define OAUTH2_BEARER_SCOPE_ERROR "OAUTH2_BEARER_SCOPE_ERROR"
+
 static authz_status
 oauth2_authz_checker(request_rec *r, const char *require_args,
 		     const void *parsed_require_args,
@@ -201,6 +203,7 @@ oauth2_authz_checker(request_rec *r, const char *require_args,
 	oauth2_cfg_dir_t *cfg = NULL;
 	oauth2_apache_request_ctx_t *ctx = NULL;
 	authz_status rc = AUTHZ_DENIED_NO_USER;
+	const char *value = NULL;
 
 	cfg = ap_get_module_config(r->per_dir_config, &oauth2_module);
 	ctx = OAUTH2_APACHE_REQUEST_CTX(r, oauth2);
@@ -217,12 +220,22 @@ oauth2_authz_checker(request_rec *r, const char *require_args,
 	if (claims)
 		json_decref(claims);
 
-	if ((rc == AUTHZ_DENIED) && ap_auth_type(r))
+	if ((rc == AUTHZ_DENIED) && ap_auth_type(r)) {
 		oauth2_apache_return_www_authenticate(
 		    cfg->source_token, ctx, HTTP_UNAUTHORIZED,
-		    "insufficient_scope", // TODO:
-					  // OAUTH2_ERROR_INSUFFICIENT_SCOPE,
+		    OAUTH2_ERROR_INSUFFICIENT_SCOPE,
 		    "Different scope(s) or other claims required.");
+		value = apr_table_get(r->err_headers_out,
+				      OAUTH2_HTTP_HDR_WWW_AUTHENTICATE);
+		apr_table_unset(r->err_headers_out,
+				OAUTH2_HTTP_HDR_WWW_AUTHENTICATE);
+		oauth2_debug(ctx->log,
+			     "setting environment variable %s to \"%s\" for "
+			     "usage in mod_headers",
+			     OAUTH2_BEARER_SCOPE_ERROR, value);
+		apr_table_set(r->subprocess_env, OAUTH2_BEARER_SCOPE_ERROR,
+			      value);
+	}
 
 	oauth2_debug(ctx->log, "leave");