id_token: add "off" option to OIDCPassIDTokenAs

zandbelt · zandbelt · commit fe64efa3ab6b · 2025-11-18T17:06:33.000+01:00
so no claims from the ID token will be passed on

Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@openidc.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+11/18/2025
+- id_token: add "off" option to OIDCPassIDTokenAs so no claims from the ID token will be passed on
+
 11/17/2025
 - metadata: avoid double-free when validation of provider metadata fails
 - perf: store id_token/userinfo claims as JSON objects and avoid parsing/serializing overhead
diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -849,10 +849,11 @@
 # "claims" :     the claims in the id_token are passed in individual headers/environment variables
 # "payload" :    the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable
 # "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable
+# "off" :        no id_token information is passed (overrides other options)
 # Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie (unless explicitly
 # configured to do so) and as such the header for the "serialized" option will not be set.
 # Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. 
-#OIDCPassIDTokenAs [claims|payload|serialized]+
+#OIDCPassIDTokenAs [claims|payload|serialized|off]+
 
 # Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs.
 # Must be one or several of:
diff --git a/src/cfg/cmds.c b/src/cfg/cmds.c
@@ -781,7 +781,7 @@ const command_rec oidc_cfg_cmds[] = {
 		pass_refresh_token,
 		"Pass the refresh token in a header and/or environment variable (On or Off)"),
 	OIDC_CFG_CMD_DIR(
-		AP_INIT_TAKE123,
+		AP_INIT_ITERATE,
 		OIDCPassIDTokenAs,
 		pass_idtoken_as,
 		"Set the format in which the id_token is passed in (a) header(s); must be one or more of: claims | payload | serialized"),
diff --git a/src/cfg/dir.c b/src/cfg/dir.c
@@ -81,11 +81,12 @@ struct oidc_dir_cfg_t {
 #define OIDC_PASS_ID_TOKEN_AS_CLAIMS_STR "claims"
 #define OIDC_PASS_IDTOKEN_AS_PAYLOAD_STR "payload"
 #define OIDC_PASS_IDTOKEN_AS_SERIALIZED_STR "serialized"
+#define OIDC_PASS_IDTOKEN_OFF_STR "off"
 
 /*
  * define how to pass the id_token/claims in HTTP headers
  */
-const char *oidc_cmd_dir_pass_idtoken_as_set(cmd_parms *cmd, void *m, const char *v1, const char *v2, const char *v3) {
+const char *oidc_cmd_dir_pass_idtoken_as_set(cmd_parms *cmd, void *m, const char *arg) {
 	oidc_dir_cfg_t *dir_cfg = (oidc_dir_cfg_t *)m;
 
 	oidc_pass_idtoken_as_t type;
@@ -94,28 +95,18 @@ const char *oidc_cmd_dir_pass_idtoken_as_set(cmd_parms *cmd, void *m, const char
 	static const oidc_cfg_option_t options[] = {
 	    {OIDC_PASS_IDTOKEN_AS_CLAIMS, OIDC_PASS_ID_TOKEN_AS_CLAIMS_STR},
 	    {OIDC_PASS_IDTOKEN_AS_PAYLOAD, OIDC_PASS_IDTOKEN_AS_PAYLOAD_STR},
-	    {OIDC_PASS_IDTOKEN_AS_SERIALIZED, OIDC_PASS_IDTOKEN_AS_SERIALIZED_STR}};
+	    {OIDC_PASS_IDTOKEN_AS_SERIALIZED, OIDC_PASS_IDTOKEN_AS_SERIALIZED_STR},
+	    {OIDC_PASS_IDTOKEN_OFF, OIDC_PASS_IDTOKEN_OFF_STR}};
 
-	if (v1) {
-		rv = oidc_cfg_parse_option(cmd->pool, options, OIDC_CFG_OPTIONS_SIZE(options), v1, (int *)&type);
+	if (arg) {
+		rv = oidc_cfg_parse_option(cmd->pool, options, OIDC_CFG_OPTIONS_SIZE(options), arg, (int *)&type);
 		if (rv != NULL)
 			return OIDC_CONFIG_DIR_RV(cmd, rv);
 		// NB: assign the first to override the "unset" default
-		dir_cfg->pass_idtoken_as = type;
-	}
-
-	if (v2) {
-		rv = oidc_cfg_parse_option(cmd->pool, options, OIDC_CFG_OPTIONS_SIZE(options), v2, (int *)&type);
-		if (rv != NULL)
-			return OIDC_CONFIG_DIR_RV(cmd, rv);
-		dir_cfg->pass_idtoken_as |= type;
-	}
-
-	if (v3) {
-		rv = oidc_cfg_parse_option(cmd->pool, options, OIDC_CFG_OPTIONS_SIZE(options), v3, (int *)&type);
-		if (rv != NULL)
-			return OIDC_CONFIG_DIR_RV(cmd, rv);
-		dir_cfg->pass_idtoken_as |= type;
+		if (dir_cfg->pass_idtoken_as == OIDC_CONFIG_POS_INT_UNSET)
+			dir_cfg->pass_idtoken_as = type;
+		else
+			dir_cfg->pass_idtoken_as |= type;
 	}
 
 	return NULL;
diff --git a/src/cfg/dir.h b/src/cfg/dir.h
@@ -73,7 +73,9 @@ typedef enum {
 	/* pass id_token payload as JSON object in header */
 	OIDC_PASS_IDTOKEN_AS_PAYLOAD = 2,
 	/* pass id_token in compact serialized format in header */
-	OIDC_PASS_IDTOKEN_AS_SERIALIZED = 4
+	OIDC_PASS_IDTOKEN_AS_SERIALIZED = 4,
+	/* do not pass id_token */
+	OIDC_PASS_IDTOKEN_OFF = 8
 } oidc_pass_idtoken_as_t;
 
 typedef enum {
@@ -146,14 +148,12 @@ OIDC_CFG_DIR_MEMBER_FUNCS(pass_access_token, apr_byte_t)
 OIDC_CFG_DIR_MEMBER_FUNCS(pass_refresh_token, apr_byte_t)
 OIDC_CFG_DIR_MEMBER_FUNCS(discover_url, const char *)
 OIDC_CFG_DIR_MEMBER_FUNCS(state_cookie_prefix, const char *)
+OIDC_CFG_DIR_MEMBER_FUNCS(pass_idtoken_as, oidc_pass_idtoken_as_t)
 
 // 2 args
 OIDC_CFG_DIR_MEMBER_FUNCS(unautz_action, oidc_unautz_action_t, const char *)
 OIDC_CFG_DIR_MEMBER_FUNCS(refresh_access_token_before_expiry, int, const char *)
 
-// 3 args
-OIDC_CFG_DIR_MEMBER_FUNCS(pass_idtoken_as, oidc_pass_idtoken_as_t, const char *, const char *)
-
 // ifdefs
 #ifdef USE_LIBJQ
 OIDC_CFG_DIR_MEMBER_FUNCS(userinfo_claims_expr, const char *)
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -698,6 +698,32 @@ apr_byte_t oidc_session_pass_tokens(request_rec *r, oidc_cfg_t *cfg, oidc_sessio
 	return TRUE;
 }
 
+static void oidc_idtoken_pass_as(request_rec *r, oidc_cfg_t *cfg, oidc_session_t *session,
+				 oidc_appinfo_pass_in_t pass_in, oidc_appinfo_encoding_t encoding) {
+
+	if ((oidc_cfg_dir_pass_idtoken_as_get(r) & OIDC_PASS_IDTOKEN_OFF))
+		return;
+
+	if ((oidc_cfg_dir_pass_idtoken_as_get(r) & OIDC_PASS_IDTOKEN_AS_CLAIMS)) {
+		/* set the id_token in the app headers */
+		oidc_set_app_claims(r, cfg, oidc_session_get_idtoken_claims(r, session));
+	}
+
+	if ((oidc_cfg_dir_pass_idtoken_as_get(r) & OIDC_PASS_IDTOKEN_AS_PAYLOAD)) {
+		/* pass the id_token JSON object to the app in a header or environment variable */
+		oidc_util_appinfo_set(r, OIDC_APP_INFO_ID_TOKEN_PAYLOAD,
+				      oidc_util_json_encode(r->pool, oidc_session_get_idtoken_claims(r, session),
+							    JSON_PRESERVE_ORDER | JSON_COMPACT),
+				      OIDC_DEFAULT_HEADER_PREFIX, pass_in, encoding);
+	}
+
+	if ((oidc_cfg_dir_pass_idtoken_as_get(r) & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
+		/* pass the compact serialized JWT to the app in a header or environment variable */
+		oidc_util_appinfo_set(r, OIDC_APP_INFO_ID_TOKEN, oidc_session_get_idtoken(r, session),
+				      OIDC_DEFAULT_HEADER_PREFIX, pass_in, encoding);
+	}
+}
+
 /*
  * handle the case where we have identified an existing authentication session for a user
  */
@@ -788,30 +814,13 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg_t *cfg, oidc_se
 	/* copy id_token and claims from session to request state and obtain their values */
 	oidc_copy_tokens_to_request_state(r, session);
 
-	if ((oidc_cfg_dir_pass_idtoken_as_get(r) & OIDC_PASS_IDTOKEN_AS_CLAIMS)) {
-		/* set the id_token in the app headers */
-		if (oidc_set_app_claims(r, cfg, oidc_session_get_idtoken_claims(r, session)) == FALSE)
-			return HTTP_INTERNAL_SERVER_ERROR;
-	}
-
-	if ((oidc_cfg_dir_pass_idtoken_as_get(r) & OIDC_PASS_IDTOKEN_AS_PAYLOAD)) {
-		/* pass the id_token JSON object to the app in a header or environment variable */
-		oidc_util_appinfo_set(r, OIDC_APP_INFO_ID_TOKEN_PAYLOAD,
-				      oidc_util_json_encode(r->pool, oidc_session_get_idtoken_claims(r, session),
-							    JSON_PRESERVE_ORDER | JSON_COMPACT),
-				      OIDC_DEFAULT_HEADER_PREFIX, pass_in, encoding);
-	}
-
-	if ((oidc_cfg_dir_pass_idtoken_as_get(r) & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) {
-		/* pass the compact serialized JWT to the app in a header or environment variable */
-		oidc_util_appinfo_set(r, OIDC_APP_INFO_ID_TOKEN, oidc_session_get_idtoken(r, session),
-				      OIDC_DEFAULT_HEADER_PREFIX, pass_in, encoding);
-	}
-
 	/* pass the at, rt and at expiry to the application, possibly update the session expiry */
 	if (oidc_session_pass_tokens(r, cfg, session, extend_session, needs_save) == FALSE)
 		return HTTP_INTERNAL_SERVER_ERROR;
 
+	/* pass ID token and claims */
+	oidc_idtoken_pass_as(r, cfg, session, pass_in, encoding);
+	/* pass userinfo claims */
 	oidc_userinfo_pass_as(r, cfg, session, pass_in, encoding);
 
 	/* return "user authenticated" status */
