Obtain user consent for OpenID Connect requested scope (#184)
This commit is contained in:
Clément Oudot
parent
3c3cc39d0c
commit
31e0a1cfb5
|
|
@ -325,12 +325,16 @@ sub cstruct {
|
|||
},
|
||||
oidcRPMetaDataOptions => {
|
||||
_nodes => [
|
||||
qw(oidcRPMetaDataOptionsClientID oidcRPMetaDataOptionsClientSecret)
|
||||
qw(oidcRPMetaDataOptionsClientID oidcRPMetaDataOptionsClientSecret oidcRPMetaDataOptionsDisplayName oidcRPMetaDataOptionsIcon)
|
||||
],
|
||||
oidcRPMetaDataOptionsClientID =>
|
||||
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientID",
|
||||
oidcRPMetaDataOptionsClientSecret =>
|
||||
"password:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientSecret",
|
||||
oidcRPMetaDataOptionsDisplayName =>
|
||||
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsDisplayName",
|
||||
oidcRPMetaDataOptionsIcon =>
|
||||
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIcon",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -291,6 +291,8 @@ sub en {
|
|||
oidcRPMetaDataOptions => 'Options',
|
||||
oidcRPMetaDataOptionsClientID => 'Client ID',
|
||||
oidcRPMetaDataOptionsClientSecret => 'Client secret',
|
||||
oidcRPMetaDataOptionsDisplayName => 'Display name',
|
||||
oidcRPMetaDataOptionsIcon => 'Logo',
|
||||
oidcRPStateTimeout => 'State session timeout',
|
||||
oidcServiceMetaData => 'OpenID Connect Service',
|
||||
oidcServiceMetaDataAuthorizeURI => 'Autorization',
|
||||
|
|
@ -840,6 +842,8 @@ sub fr {
|
|||
oidcRPMetaDataOptions => 'Options',
|
||||
oidcRPMetaDataOptionsClientID => 'Identifiant',
|
||||
oidcRPMetaDataOptionsClientSecret => 'Mot de passe',
|
||||
oidcRPMetaDataOptionsDisplayName => 'Nom d\'affichage',
|
||||
oidcRPMetaDataOptionsIcon => 'Logo',
|
||||
oidcRPStateTimeout => 'Durée d\'une session state',
|
||||
oidcServiceMetaData => "Service OpenID Connect",
|
||||
oidcServiceMetaDataAuthorizeURI => "Autorisation",
|
||||
|
|
|
|||
|
|
@ -208,7 +208,7 @@ sub issuerForAuthUser {
|
|||
$self->lmLog( "URL $url detected as an OpenID Connect AUTHORIZE URL",
|
||||
'debug' );
|
||||
|
||||
# Get parameters
|
||||
# Get and save parameters
|
||||
my $oidc_request = {};
|
||||
foreach my $param (qw/response_type scope client_id state redirect_uri/)
|
||||
{
|
||||
|
|
@ -217,6 +217,7 @@ sub issuerForAuthUser {
|
|||
$self->lmLog(
|
||||
"OIDC request parameter $param: " . $oidc_request->{$param},
|
||||
'debug' );
|
||||
$self->setHiddenFormValue( $param, $oidc_request->{$param} );
|
||||
}
|
||||
|
||||
# TODO check all required parameters
|
||||
|
|
@ -259,7 +260,52 @@ sub issuerForAuthUser {
|
|||
);
|
||||
}
|
||||
|
||||
# TODO obtain consent
|
||||
# Obtain consent
|
||||
if ( $self->{sessionInfo}->{"_oidc_consent_$rp"} ) {
|
||||
$self->lmLog( "Consent already given for Relaying Party $rp",
|
||||
'debug' );
|
||||
}
|
||||
else {
|
||||
if ( $self->param('confirm') == 1 ) {
|
||||
$self->updatePersistentSession(
|
||||
{ "_oidc_consent_$rp" => time } );
|
||||
$self->lmLog( "Consent given for Relaying Party $rp",
|
||||
'debug' );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Obtain user consent for Relaying Party $rp",
|
||||
'debug' );
|
||||
|
||||
my $display_name = $self->{oidcRPMetaDataOptions}->{$rp}
|
||||
->{oidcRPMetaDataOptionsDisplayName};
|
||||
my $icon = $self->{oidcRPMetaDataOptions}->{$rp}
|
||||
->{oidcRPMetaDataOptionsIcon};
|
||||
my $portalPath = $self->{portal};
|
||||
$portalPath =~ s#^https?://[^/]+/?#/#;
|
||||
$portalPath =~ s#[^/]+\.pl$##;
|
||||
|
||||
$self->info('<div class="oidc_consent_message">');
|
||||
$self->info( '<img src="'
|
||||
. $portalPath
|
||||
. "skins/common/"
|
||||
. $icon
|
||||
. '" />' )
|
||||
if $icon;
|
||||
$self->info( '<h3>'
|
||||
. sprintf( $self->msg(PM_OIDC_CONSENT),
|
||||
$display_name )
|
||||
. '</h3>' );
|
||||
$self->info('<ul>');
|
||||
|
||||
foreach ( split( /\s/, $oidc_request->{'scope'} ) ) {
|
||||
$self->info("<li>$_</li>");
|
||||
}
|
||||
$self->info('</ul>');
|
||||
$self->info('</div>');
|
||||
$self->{activeTimer} = 0;
|
||||
return PE_CONFIRM;
|
||||
}
|
||||
}
|
||||
|
||||
# Prepare response
|
||||
my $response_url = $oidc_request->{'redirect_uri'};
|
||||
|
|
|
|||
|
|
@ -184,6 +184,7 @@ use constant {
|
|||
PM_ERROR_MSG => 21,
|
||||
PM_LAST_LOGINS => 22,
|
||||
PM_LAST_FAILED_LOGINS => 23,
|
||||
PM_OIDC_CONSENT => 24,
|
||||
};
|
||||
|
||||
# EXPORTER PARAMETERS
|
||||
|
|
@ -213,7 +214,7 @@ our @EXPORT = qw( PE_IMG_NOK PE_IMG_OK PE_INFO PE_REDIRECT PE_DONE PE_OK
|
|||
PM_SAML_IDPSELECT PM_SAML_IDPCHOOSEN PM_REMEMBERCHOICE PM_SAML_SPLOGOUT
|
||||
PM_REDIRECTION PM_BACKTOSP PM_BACKTOCASURL PM_LOGOUT PM_OPENID_EXCHANGE
|
||||
PM_CDC_WRITER PM_OPENID_RPNS PM_OPENID_PA PM_OPENID_AP PM_ERROR_MSG
|
||||
PM_LAST_LOGINS PM_LAST_FAILED_LOGINS
|
||||
PM_LAST_LOGINS PM_LAST_FAILED_LOGINS PM_OIDC_CONSENT
|
||||
);
|
||||
our %EXPORT_TAGS = ( 'all' => [ @EXPORT, 'import' ], );
|
||||
|
||||
|
|
|
|||
|
|
@ -426,6 +426,7 @@ sub error_ro {
|
|||
# * PM_ERROR_MSG 21
|
||||
# * PM_LAST_LOGINS 22
|
||||
# * PM_LAST_FAILED_LOGINS 23
|
||||
# * PM_OIDC_CONSENT 24
|
||||
|
||||
sub msg_en {
|
||||
use utf8;
|
||||
|
|
@ -454,6 +455,7 @@ sub msg_en {
|
|||
'Error Message',
|
||||
'Your last logins',
|
||||
'Your last failed logins',
|
||||
'Application %s would like to know:',
|
||||
];
|
||||
}
|
||||
|
||||
|
|
@ -484,6 +486,7 @@ sub msg_fr {
|
|||
'Message d\'erreur',
|
||||
'Vos dernières connexions',
|
||||
'Vos dernières connexions refusées',
|
||||
'L\'application %s voudrait connaître :',
|
||||
];
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user