Parameter to allow dynamic client registration (#184)

2015-05-29 10:07:54 +00:00 · 2015-05-29 10:07:54 +00:00 · 121e578b7e
commit 121e578b7e
parent b66a90e197
4 changed files with 22 additions and 5 deletions
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -1967,8 +1967,13 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
            },
            documentation => 'OpenID Connect Authentication Context Class Ref',
        },
-        oidcServicePrivateKeySig => { type => 'RSAPrivateKey', },
-        oidcServicePublicKeySig  => { type => 'RSAPublicKey', },
+        oidcServicePrivateKeySig            => { type => 'RSAPrivateKey', },
+        oidcServicePublicKeySig             => { type => 'RSAPublicKey', },
+        oidcServiceAllowDynamicRegistration => {
+            type          => 'bool',
+            default       => '0',
+            documentation => 'OpenID Connect allow dynamic client registration',
+        },

        # OpenID-Connect metadata nodes
        oidcOPMetaDataNodes =>
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Tree.pm
@ -823,8 +823,11 @@ sub tree {
                {
                    title => 'oidcServiceMetaDataSecurity',
                    form  => 'RSAKeyNoPassword',
-                    group =>
-                      [ 'oidcServicePrivateKeySig', 'oidcServicePublicKeySig' ]
+                    group => [
+                        'oidcServicePrivateKeySig',
+                        'oidcServicePublicKeySig',
+                        'oidcServiceAllowDynamicRegistration'
+                    ]
                },
            ]
        },
--- a/lemonldap-ng-portal/example/openid-configuration.pl
+++ b/lemonldap-ng-portal/example/openid-configuration.pl
@ -27,7 +27,8 @@ $configuration->{token_endpoint}    = $issuer . $path . "/" . $token_uri;
 $configuration->{userinfo_endpoint} = $issuer . $path . "/" . $userinfo_uri;
 $configuration->{jwks_uri}          = $issuer . $path . "/" . $jwks_uri;
 $configuration->{registration_endpoint} =
-  $issuer . $path . "/" . $registration_uri;
+  $issuer . $path . "/" . $registration_uri
+  if ( $portal->{oidcServiceAllowDynamicRegistration} );
 $configuration->{end_session_endpoint} =
  $issuer . $path . "/" . $endsession_uri;
 $configuration->{scopes_supported} = [qw/openid profile email address phone/];
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
@ -413,6 +413,14 @@ sub issuerForUnAuthUser {
        $self->lmLog( "OpenID Connect Registration request from $source_ip",
            'warn' );

+        # Check dynamic registration is allowed
+        unless ( $self->{oidcServiceAllowDynamicRegistration} ) {
+            $self->lmLog( "Dynamic registration is not allowed", 'error' );
+            $self->returnJSONError( 'server_error',
+                'Dynamic registration is not allowed' );
+            $self->quit;
+        }
+
        # Get client metadata
        my $client_metadata_json = $self->param('POSTDATA');