[XrdHttp] route http.oidc bearer auth through sec.protocol oidc.

Delegate HTTPS bearer validation to the security framework via CIA so XrdHttp no longer links libXrdOucOIDC directly.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: apeters1971

src/XrdHttp/CMakeLists.txt

@@ -28,14 +28,11 @@ set_target_properties(XrdHttpUtils
     VERSION ${XRootD_LIBVERSION}
 )
 
-set(XrdOucOIDC XrdOucOIDC-${PLUGIN_VERSION})
-
 target_link_libraries(XrdHttpUtils
   PRIVATE
     XrdServer
     XrdUtils
     XrdCrypto
-    ${XrdOucOIDC}
   PUBLIC
     OpenSSL::SSL
     OpenSSL::Crypto

src/XrdHttp/XrdHttpProtocol.cc

@@ -46,7 +46,7 @@
 #include "XrdTls/XrdTlsContext.hh"
 #include "XrdOuc/XrdOucUtils.hh"
 #include "XrdOuc/XrdOucPrivateUtils.hh"
-#include "XrdOuc/XrdOucOIDC.hh"
+#include "XrdSec/XrdSecLoadSecurity.hh"
 #include "XrdHttpCors/XrdHttpCors.hh"
 
 #include <charconv>
@@ -157,6 +157,7 @@ bool xrdctxVer = false;
 using namespace XrdHttpProtoInfo;
 
 int XrdHttpProtocol::oidcHttpMode = 0;
+const char *XrdHttpProtocol::oidcConfigFN = nullptr;
 
 /******************************************************************************/
 /*            P r o t o c o l   M a n a g e m e n t   S t a c k s             */
@@ -809,7 +810,7 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here
 
 
 
-  // Bearer OIDC authentication over HTTPS (shared with sec.protocol oidc).
+  // Bearer OIDC authentication over HTTPS (via sec.protocol oidc / CIA).
   if (ishttps && ssldone && oidcHttpMode && HandleOidcAuthentication()) {
     return -1;
   }
@@ -912,6 +913,7 @@ int XrdHttpProtocol::Stats(char *buff, int blen, int do_sync) {
         eDest.Say("Config http." x " overrides the xrd." y " directive.")
 
 int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) {
+  XrdHttpProtocol::oidcConfigFN = ConfigFN;
   XrdOucEnv cfgEnv;
   XrdOucStream Config(&eDest, getenv("XRDINSTANCE"), &cfgEnv, "=====> ");
   std::vector<extHInfo> extHIVec;
@@ -3016,44 +3018,22 @@ int XrdHttpProtocol::xoidc(XrdOucStream &Config) {
   if (!val || !val[0])
      {eDest.Emsg("Config", "http.oidc argument not specified"); return 1;}
 
-  std::string parms;
-  bool needInit = false;
-
   if (!strcmp(val, "on") || !strcmp(val, "optional"))
      {oidcHttpMode = 1;
-      needInit = !XrdOucOIDC::IsConfigured();
+      return 0;
      }
-  else if (!strcmp(val, "require"))
+  if (!strcmp(val, "require"))
      {oidcHttpMode = 2;
-      needInit = !XrdOucOIDC::IsConfigured();
-     }
-  else if (val[0] == '-')
-     {oidcHttpMode = 1;
-      parms = val;
-      char *w = nullptr;
-      while ((w = Config.GetWord()))
-           {parms.push_back(' ');
-            parms += w;
-           }
-      needInit = true;
-     }
-  else
-     {eDest.Emsg("Config", "invalid http.oidc parameter -", val); return 1;}
-
-  if (needInit)
-     {std::string emsg;
-      const char *initParms = parms.empty() ? nullptr : parms.c_str();
-      if (!XrdOucOIDC::Init(eDest.logger(), initParms, emsg))
-         {eDest.Emsg("Config", "http.oidc initialization failed:", emsg.c_str());
-          return 1;
-         }
+      return 0;
      }
-  else if (!XrdOucOIDC::IsConfigured())
-     {eDest.Emsg("Config", "http.oidc requires OIDC configuration via sec.protocol oidc or inline parameters");
+  if (val[0] == '-')
+     {eDest.Emsg("Config", "http.oidc inline parameters are not supported;",
+                  "configure OIDC via sec.protparm oidc and sec.protocol oidc");
       return 1;
      }
 
-  return 0;
+  eDest.Emsg("Config", "invalid http.oidc parameter -", val);
+  return 1;
 }
 
 int XrdHttpProtocol::xauth(XrdOucStream &Config) {

src/XrdHttp/XrdHttpProtocol.hh

@@ -239,6 +239,9 @@ private:
   /// 0=disabled, 1=optional bearer OIDC, 2=require bearer OIDC
   static int oidcHttpMode;
 
+  /// Config file path used to load the security framework for http.oidc.
+  static const char *oidcConfigFN;
+
   static bool isRequiredXtractor; // If true treat secxtractor errors as fatal
   static XrdHttpSecXtractor *secxtractor;
 

src/XrdHttp/XrdHttpSecurity.cc

@@ -19,17 +19,21 @@
 // along with XRootD.  If not, see <http://www.gnu.org/licenses/>.
 //------------------------------------------------------------------------------
 
+#include <cctype>
 #include <cstdio>
 #include <cstring>
 #include <map>
 #include <string>
+#include <vector>
 
 #include <openssl/evp.h>
 
 #include "XrdHttpProtocol.hh"
 #include "XrdHttpTrace.hh"
 #include "XrdHttpSecXtractor.hh"
-#include "XrdOuc/XrdOucOIDC.hh"
+#include "XrdSec/XrdSecLoadSecurity.hh"
+#include "XrdSec/XrdSecInterface.hh"
+#include "XrdOuc/XrdOucErrInfo.hh"
 #include "Xrd/XrdLink.hh"
 #include "XrdCrypto/XrdCryptoX509Chain.hh"
 #include "XrdCrypto/XrdCryptosslAux.hh"
@@ -73,6 +77,41 @@ std::string bearerTokenKey(const char *tok, int tlen)
    return std::string(hex, mdLen * 2);
 }
 
+bool hasPrefix(const char *s, const char *end, const char *pfx)
+{
+   while (*pfx && s < end && *s == *pfx) {++s; ++pfx;}
+   return !*pfx;
+}
+
+const char *stripBearerToken(const char *bTok, int &sz)
+{
+   const char *sTok = bTok;
+   sz = 0;
+   if (!sTok) return nullptr;
+
+   const char *endPtr = sTok + strlen(sTok);
+   while (sTok < endPtr && isspace(static_cast<unsigned char>(*sTok))) ++sTok;
+   if (sTok >= endPtr) return nullptr;
+
+   if ((endPtr - sTok) >= 9 && hasPrefix(sTok, endPtr, "Bearer%20")) sTok += 9;
+   else if ((endPtr - sTok) >= 7 && hasPrefix(sTok, endPtr, "Bearer ")) sTok += 7;
+
+   while (sTok < endPtr && isspace(static_cast<unsigned char>(*sTok))) ++sTok;
+   if (sTok >= endPtr) return nullptr;
+
+   while (endPtr > sTok && isspace(static_cast<unsigned char>(*(endPtr - 1)))) --endPtr;
+   sz = static_cast<int>(endPtr - sTok);
+   return (sz > 0 ? sTok : nullptr);
+}
+
+void copyEntityAttrs(XrdSecEntity &dst, const XrdSecEntity &src)
+{
+   for (const auto &key : src.eaAPI->Keys())
+      {std::string val;
+       if (src.eaAPI->Get(key, val)) dst.eaAPI->Add(key, val, true);
+      }
+}
+
 bool extractBearerToken(const XrdHttpReq &req, std::string &token)
 {
    const std::string &cgi = req.hdr2cgistr;
@@ -129,6 +168,19 @@ bool XrdHttpProtocol::InitSecurity() {
        secxtractor->Init(sslctx, XrdHttpTrace.What);
       }
 
+// Load the security framework when HTTP bearer OIDC is enabled.
+//
+   if (oidcHttpMode && !CIA)
+      {if (!oidcConfigFN)
+          {eDest.Say("Error: http.oidc requires a configuration file path");
+           return false;
+          }
+       if (!(CIA = XrdSecLoadSecService(&eDest, oidcConfigFN)))
+          {eDest.Say("Error loading security framework for http.oidc");
+           return false;
+          }
+      }
+
 // All done
 //
    return true;
@@ -144,7 +196,7 @@ XrdHttpProtocol::HandleOidcAuthentication()
 #undef  TRACELINK
 #define TRACELINK Link
 
-  if (!oidcHttpMode || !XrdOucOIDC::IsConfigured()) return 0;
+  if (!oidcHttpMode || !CIA) return 0;
 
   // Client-certificate identity is fixed for the TLS connection.
   if (SecEntity.name && strncmp(SecEntity.prot, "oidc", 4) != 0) return 0;
@@ -160,7 +212,7 @@ XrdHttpProtocol::HandleOidcAuthentication()
      }
 
   int tlen = 0;
-  const char *tok = XrdOucOIDC::StripToken(bearer.c_str(), tlen);
+  const char *tok = stripBearerToken(bearer.c_str(), tlen);
   if (!tok || tlen <= 0)
      {TRACEI(REQ, " OIDC bearer token malformed.");
       SendSimpleResp(401, nullptr, nullptr, "Authentication failed", 0, false);
@@ -176,19 +228,44 @@ XrdHttpProtocol::HandleOidcAuthentication()
 
   if (!oidcBearerTokKey.empty() && tokKey == oidcBearerTokKey) return 0;
 
-  std::string tokStr(tok, static_cast<size_t>(tlen));
-  std::string identity, emsg;
-  std::map<std::string, std::string> entityAttrs;
-  if (!XrdOucOIDC::ValidateToken(tokStr.c_str(), identity, emsg, nullptr,
-                                 &entityAttrs))
-     {TRACEI(REQ, " OIDC token validation failed: " << emsg);
+  const int bsz = 5 + tlen + 1;
+  std::vector<char> credBuf(static_cast<size_t>(bsz));
+  strcpy(credBuf.data(), "oidc");
+  memcpy(credBuf.data() + 5, tok, static_cast<size_t>(tlen));
+  credBuf[static_cast<size_t>(5 + tlen)] = '\0';
+
+  XrdSecCredentials cred;
+  cred.buffer = credBuf.data();
+  cred.size = bsz;
+
+  XrdOucErrInfo eMsg;
+  XrdSecProtocol *authProt = CIA->getProtocol(Link->Host(), *(Link->AddrInfo()),
+                                            &cred, eMsg);
+  if (!authProt)
+     {int ec = 0;
+      const char *et = eMsg.getErrText(ec);
+      TRACEI(REQ, " OIDC protocol unavailable: " << (et && *et ? et : "unknown"));
+      SendSimpleResp(401, nullptr, nullptr, "Authentication failed", 0, false);
+      return 1;
+     }
+
+  XrdSecParameters *parm = nullptr;
+  const int rc = authProt->Authenticate(&cred, &parm, &eMsg);
+  if (parm) delete parm;
+
+  if (rc != 0 || !CIA->PostProcess(authProt->Entity, eMsg))
+     {int ec = 0;
+      const char *et = eMsg.getErrText(ec);
+      TRACEI(REQ, " OIDC token validation failed: " << (et && *et ? et : "unknown"));
+      authProt->Delete();
       SendSimpleResp(401, nullptr, nullptr, "Authentication failed", 0, false);
       return 1;
      }
 
   if (!oidcBearerTokKey.empty() || Bridge)
      {if (Bridge && !Bridge->Disc())
          {TRACEI(REQ, " OIDC token changed but bridge is busy.");
+          authProt->Delete();
           SendSimpleResp(503, nullptr, nullptr, "Authentication busy", 0, false);
           return 1;
          }
@@ -200,10 +277,11 @@ XrdHttpProtocol::HandleOidcAuthentication()
      }
 
   if (SecEntity.name) free(SecEntity.name);
-  SecEntity.name = strdup(identity.c_str());
-  strncpy(SecEntity.prot, "oidc", sizeof(SecEntity.prot));
-  for (const auto &attr : entityAttrs)
-     SecEntity.eaAPI->Add(attr.first, attr.second, true);
+  SecEntity.name = authProt->Entity.name ? strdup(authProt->Entity.name) : nullptr;
+  strncpy(SecEntity.prot, authProt->Entity.prot, sizeof(SecEntity.prot));
+  copyEntityAttrs(SecEntity, authProt->Entity);
+  authProt->Delete();
+
   oidcBearerTokKey = tokKey;
   TRACEI(REQ, " OIDC authenticated as: " << SecEntity.name);
   return 0;

src/XrdSecoidc/README.md

@@ -103,10 +103,12 @@ TLS-only use.
 
 ## HTTPS (XrdHttp) authentication
 
-The OIDC JWT validation logic is shared with XrdHttp via `libXrdOucOIDC`. To
-authenticate HTTPS clients with the same issuers and `oidc.cfg` as `root://`:
+HTTPS bearer authentication is routed through the same `sec.protocol oidc` plugin
+as `root://` (via the XRootD security framework). Configure OIDC once with
+`sec.protparm oidc` / `sec.protocol oidc`, then enable HTTP bearer handling:
 
 ```conf
+xrootd.seclib libXrdSec.so
 xrootd.tls all
 http.tlsclientauth off
 http.header2cgi Authorization authz
@@ -120,12 +122,11 @@ sec.protocol oidc
 - `on` or `optional` — validate `Authorization: Bearer <token>` when present
 - `require` — reject requests without a valid bearer token (unless mTLS already
 set the identity)
-- inline parameters (e.g. `http.oidc -issuer https://... -audience xrootd`) —
-initialize OIDC for HTTP only, using the same options as `sec.protocol oidc`
 
-When `sec.protocol oidc` is already configured, `http.oidc on` reuses that shared
-configuration. Bearer tokens may be sent via the `Authorization` header (with
-`http.header2cgi`) or as an `authz` CGI parameter.
+`sec.protocol oidc` (and any `sec.protparm oidc` lines) must be present in the
+configuration; `http.oidc` only enables bearer-token handling over HTTPS.
+Bearer tokens may be sent via the `Authorization` header (with `http.header2cgi`)
+or as an `authz` CGI parameter.
 
 On HTTP keep-alive connections, a changed `Authorization` bearer token is
 detected and triggers re-validation, a new `XrdSecEntity`, and a fresh xrootd