disable caching on authorization redirect

bodewig · bodewig · commit e5113313a7e2 · 2018-05-24T18:08:53.000+02:00
issue similar to https://github.com/zmartzone/mod_auth_openidc/issues/321 Signed-off-by: Stefan Bodewig <stefan.bodewig@innoq.com>
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+05/24/2018
+- add Cache-Control no-cache header to authorization requests to avoid replays of state/nonce;
+  see https://github.com/zmartzone/mod_auth_openidc/issues/321
+
 04/28/2018
 - release 1.5.4
 
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -310,6 +310,7 @@ local function openidc_authorize(opts, session, target_url, prompt)
   session:save()
 
   -- redirect to the /authorization endpoint
+  ngx.header["Cache-Control"] = "no-cache, no-store, max-age=0"
   return ngx.redirect(openidc_combine_uri(opts.discovery.authorization_endpoint, params))
 end
 
diff --git a/tests/spec/redirect_to_op_spec.lua b/tests/spec/redirect_to_op_spec.lua
@@ -13,6 +13,9 @@ describe("when accessing the protected resource without token", function()
     assert.are.equals(302, status)
     assert.truthy(string.match(headers["location"], "http://127.0.0.1/authorize%?.*client_id=client_id.*"))
   end)
+  it("HTTP Caching is disabled", function()
+    assert.are.equals("no-cache, no-store, max-age=0", headers["cache-control"])
+  end)
   it("requests the authorization code grant flow", function()
     assert.truthy(string.match(headers["location"], ".*response_type=code.*"))
   end)
