2020-11-27 12:16:56 +01:00
|
|
|
Available plugin hooks
|
|
|
|
======================
|
|
|
|
|
|
|
|
OpenID Connect Issuer hooks
|
|
|
|
---------------------------
|
|
|
|
|
|
|
|
oidcGotRequest
|
|
|
|
~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.10
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG received an authorization request on the `/oauth2/authorize` endpoint.
|
|
|
|
|
|
|
|
The hook's parameter is a hash containing the authorization request parameters.
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
oidcGotRequest => 'addScopeToRequest',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub addScopeToRequest {
|
|
|
|
my ( $self, $req, $oidc_request ) = @_;
|
|
|
|
$oidc_request->{scope} = $oidc_request->{scope} . " my_hooked_scope";
|
|
|
|
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2021-03-10 15:54:41 +01:00
|
|
|
oidcGotClientCredentialsGrant
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG successfully authorized a :ref:`Client Credentials Grant <client-credentials-grant>`.
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* A hash of the current session info
|
|
|
|
* the configuration key of the relying party which is being identified
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
oidcGotClientCredentialsGrant => 'addSessionVariable',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub addSessionVariable {
|
|
|
|
my ( $self, $req, $info, $rp ) = @_;
|
|
|
|
$info->{is_client_credentials} = 1;
|
|
|
|
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2020-11-27 12:16:56 +01:00
|
|
|
|
2021-05-31 11:27:26 +02:00
|
|
|
oidcGenerateCode
|
|
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is about to generate an Authorization Code for a Relying Party.
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* A hash of the parameters for the OIDC Authorize request, which you can modify
|
2021-06-02 11:14:39 +02:00
|
|
|
* the configuration key of the relying party which will receive the token
|
2021-05-31 11:27:26 +02:00
|
|
|
* A hash of the session keys for the (internal) Authorization Code session
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
oidcGenerateCode => 'modifyRedirectUri',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub modifyRedirectUri {
|
|
|
|
my ( $self, $req, $oidc_request, $rp, $code_payload ) = @_;
|
|
|
|
my $original_uri = $oidc_request->{redirect_uri};
|
|
|
|
$oidc_request->{redirect_uri} = "$original_uri?hooked=1";
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2020-11-27 12:16:56 +01:00
|
|
|
oidcGenerateUserInfoResponse
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.10
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is about to send a UserInfo response to a relying party on the `/oauth2/userinfo` endpoint.
|
|
|
|
|
|
|
|
The hook's parameter is a hash containing all the claims that are about to be released.
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
oidcGenerateUserInfoResponse => 'addClaimToUserInfo',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub addClaimToUserInfo {
|
|
|
|
my ( $self, $req, $userinfo ) = @_;
|
|
|
|
$userinfo->{"userinfo_hook"} = 1;
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
oidcGenerateIDToken
|
|
|
|
~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.10
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is generating an ID Token.
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* A hash of the claims to be contained in the ID Token
|
2021-06-02 11:14:39 +02:00
|
|
|
* the configuration key of the relying party which will receive the token
|
2020-11-27 12:16:56 +01:00
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
oidcGenerateIDToken => 'addClaimToIDToken',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub addClaimToIDToken {
|
|
|
|
my ( $self, $req, $payload, $rp ) = @_;
|
|
|
|
$payload->{"id_token_hook"} = 1;
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2021-02-01 17:00:54 +01:00
|
|
|
oidcGenerateAccessToken
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is generating an JWT-formatted Access Token
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* A hash of the claims to be contained in the Access Token
|
|
|
|
* the configuration key of the relying party which will receive the token
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
oidcGenerateAccessToken => 'addClaimToAccessToken',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub addClaimToAccessToken {
|
|
|
|
my ( $self, $req, $payload, $rp ) = @_;
|
|
|
|
$payload->{"access_token_hook"} = 1;
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2021-01-14 17:33:11 +01:00
|
|
|
|
|
|
|
oidcResolveScope
|
|
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is resolving scopes.
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* An array ref of currently granted scopes, which you can modify
|
|
|
|
* The configuration key of the requested RP
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
oidcResolveScope => 'addHardcodedScope',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub addHardcodedScope{
|
|
|
|
my ( $self, $req, $scopeList, $rp ) = @_;
|
|
|
|
push @{$scopeList}, "myscope";
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-11-27 12:16:56 +01:00
|
|
|
SAML Issuer hooks
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
samlGotAuthnRequest
|
|
|
|
~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.10
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG has received a SAML login request
|
|
|
|
|
|
|
|
The hook's parameter is the Lasso::Login object
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
2021-06-02 11:14:39 +02:00
|
|
|
use constant hook => {
|
2020-11-27 12:16:56 +01:00
|
|
|
samlGotAuthnRequest => 'gotRequest',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub gotRequest {
|
|
|
|
my ( $self, $res, $login ) = @_;
|
|
|
|
|
|
|
|
# Your code here
|
|
|
|
}
|
|
|
|
|
|
|
|
samlBuildAuthnResponse
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.10
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is about to build a response to the SAML login request
|
|
|
|
|
|
|
|
The hook's parameter is the Lasso::Login object
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
2021-06-02 11:14:39 +02:00
|
|
|
use constant hook => {
|
2020-11-27 12:16:56 +01:00
|
|
|
samlBuildAuthnResponse => 'buildResponse',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub buildResponse {
|
|
|
|
my ( $self, $res, $login ) = @_;
|
|
|
|
|
|
|
|
# Your code here
|
|
|
|
}
|
|
|
|
|
|
|
|
samlGotLogoutRequest
|
|
|
|
~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.10
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG has received a SAML logout request
|
|
|
|
|
|
|
|
The hook's parameter is the Lasso::Logout object
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
2021-06-02 11:14:39 +02:00
|
|
|
use constant hook => {
|
2020-11-27 12:16:56 +01:00
|
|
|
samlGotLogoutRequest => 'gotLogout',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub gotLogout {
|
|
|
|
my ( $self, $res, $logout ) = @_;
|
|
|
|
|
|
|
|
# Your code here
|
|
|
|
}
|
|
|
|
|
|
|
|
samlGotLogoutResponse
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.10
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG has received a SAML logout response
|
|
|
|
|
|
|
|
The hook's parameter is the Lasso::Logout object
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
2021-06-02 11:14:39 +02:00
|
|
|
use constant hook => {
|
2020-11-27 12:16:56 +01:00
|
|
|
samlGotLogoutResponse => 'gotLogoutResponse',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub gotLogoutResponse {
|
|
|
|
my ( $self, $res, $logout ) = @_;
|
|
|
|
|
|
|
|
# Your code here
|
|
|
|
}
|
|
|
|
|
|
|
|
samlBuildLogoutResponse
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.10
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is about to generate a SAML logout response
|
|
|
|
|
|
|
|
The hook's parameter is the Lasso::Logout object
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
2021-06-02 11:14:39 +02:00
|
|
|
use constant hook => {
|
2020-11-27 12:16:56 +01:00
|
|
|
samlBuildLogoutResponse => 'buildLogoutResponse',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub buildLogoutResponse {
|
|
|
|
my ( $self, $res, $logout ) = @_;
|
|
|
|
|
|
|
|
# Your code here
|
|
|
|
}
|
2021-06-01 11:56:15 +02:00
|
|
|
|
|
|
|
CAS Issuer hooks
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
casGotRequest
|
|
|
|
~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG received an CAS authentication request on the `/cas/login` endpoint.
|
|
|
|
|
|
|
|
The hook's parameter is a hash containing the CAS request parameters.
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
casGotRequest => 'filterService'
|
|
|
|
};
|
|
|
|
|
|
|
|
sub filterService {
|
|
|
|
my ( $self, $req, $cas_request ) = @_;
|
|
|
|
if ( $cas_request->{service} eq "http://auth.sp.com/" ) {
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
return 999;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
casGenerateServiceTicket
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is about to generate a Service Ticket for a CAS application
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* A hash of the parameters for the CAS request, which you can modify
|
2021-06-02 11:14:39 +02:00
|
|
|
* the configuration key of the cas application which will receive the ticket
|
2021-06-01 11:56:15 +02:00
|
|
|
* A hash of the session keys for the (internal) CAS session
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
'casGenerateServiceTicket' => 'changeRedirectUrl',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub changeRedirectUrl {
|
|
|
|
my ( $self, $req, $cas_request, $app, $Sinfos ) = @_;
|
|
|
|
$cas_request->{service} .= "?hooked=1";
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
casGenerateValidateResponse
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is about to send a CAS response to an application on the `/cas/serviceValidate` endpoint.
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* The username (CAS principal)
|
|
|
|
* A hash of modifiable attributes to be sent
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
casGenerateValidateResponse => 'addAttributes',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub addAttributes {
|
|
|
|
my ( $self, $req, $username, $attributes ) = @_;
|
|
|
|
$attributes->{hooked} = 1;
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2021-06-02 11:14:39 +02:00
|
|
|
|
|
|
|
Password change hooks
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
|
|
|
|
passwordBeforeChange
|
|
|
|
~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered when LemonLDAP::NG is about to change or reset a user's password. Returning an error will cancel the password change operation
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* The main user identifier
|
|
|
|
* The new password
|
|
|
|
* The old password, if relevant
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
passwordBeforeChange => 'blacklistPassword',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub blacklistPassword {
|
|
|
|
my ( $self, $req, $user, $password, $old ) = @_;
|
|
|
|
if ( $password eq "12345" ) {
|
|
|
|
$self->logger->error("I've got the same combination on my luggage");
|
|
|
|
return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
|
|
|
|
}
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
passwordAfterChange
|
|
|
|
~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
.. versionadded:: 2.0.12
|
|
|
|
|
|
|
|
This hook is triggered after LemonLDAP::NG has changed the user's password successfully in the underlying password database
|
|
|
|
|
|
|
|
The hook's parameters are:
|
|
|
|
|
|
|
|
* The main user identifier
|
|
|
|
* The new password
|
|
|
|
* The old password, if relevant
|
|
|
|
|
|
|
|
Sample code::
|
|
|
|
|
|
|
|
use constant hook => {
|
|
|
|
passwordAfterChange => 'logPasswordChange',
|
|
|
|
};
|
|
|
|
|
|
|
|
sub logPasswordChange {
|
|
|
|
my ( $self, $req, $user, $password, $old ) = @_;
|
|
|
|
$old ||= "";
|
|
|
|
$self->userLogger->info("Password changed for $user: $old -> $password")
|
|
|
|
return PE_OK;
|
|
|
|
}
|