Choice module breaks OpenID Connect and other methods requesting URL params
When using the Choice module for authentication a parameter for URL is provided allowing for a different address to authenticate. However when using an OpenID Connect Rlay (and possibly other methods) which redirect to a page such as /oauth2/... the URL given drops these params. This means the first login of the day will fail to redirect correctly.
I fixed this by patching line 201 of /usr/share/perl5/Lemonldap/NG/Portal_Choice.pm to have the following:
--- ./_Choice.pm.hookbak 2016-05-04 17:40:01.000000000 +1200
+++ ./_Choice.pm 2016-05-04 17:39:38.000000000 +1200
@@ -198,6 +198,7 @@
# Default URL
$url ||= "#";
+ $url =~ s/\$REQUEST_URI/$ENV{"REQUEST_URI"} . $ENV{"QUERY_STRING"}/g;
# Options to store in the loop
my $optionsLoop =
{code}
This then allows for the url to contain $REQUEST_URI.
In our case we use Kerberos via apache and LDAP as a fallback, (based on http://lemonldap-ng.org/documentation/1.3/authapache )
To allow this patch to work, The choice module has LDAP and Kerberos. LDAP is the default settings, Kerberos has the url now set to:
/krb.pl$REQUEST_URI
Apache configs:
{code}
# OpenID Connect Issuer
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^(/krb.pl)?/oauth2/.* /index.pl
RewriteRule ^/.well-known/openid-configuration$ /openid-configuration.pl
</IfModule>
And issuerDBOpenIDConnectPath inside the manager is now set to: ^(/krb.pl)?/oauth2/
This will only fix OpenID Connect.