dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add missing access token expiration check in OAuth2 handler (#2549)

Browse Source
This commit is contained in:
Maxime Besson 2021-06-18 19:28:22 +02:00
parent ca6d35bea0
commit 23a8a10096
1 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm
View File

@ -18,7 +18,8 @@ sub retrieveSession {
# Update cache
$class->data($data);
} else {
}
else {
$req->data->{oauth2_error} = 'invalid_token';
}
return $data;
@ -93,6 +94,10 @@ sub fetchId {
return;
}
my $infos = $class->getOIDCInfos($access_token_sid);
unless ($infos) {
$req->data->{oauth2_error} = 'invalid_token';
return;
}
# Store scope and rpid for future session attributes
if ( $infos->{rp} ) {
@ -147,6 +152,20 @@ sub getOIDCInfos {
unless ( $oidcSession->error ) {
$class->logger->debug("Get OIDC session $id");
# Verify that session is valid
unless ( $oidcSession->data->{_utime} ) {
$class->logger->error("_utime missing from Access Token session");
return;
}
my $ttl = $class->tsv->{timeout} - time + $oidcSession->data->{_utime};
$class->logger->debug( "Session TTL = " . $ttl );
if ( time - $oidcSession->data->{_utime} > $class->tsv->{timeout} ) {
$class->logger->info("Access Token session $id expired");
return;
}
$infos = { %{ $oidcSession->data } };
}
else {