Skeleton to manage different OIDC response types (#184)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm

@@ -288,7 +288,8 @@ sub issuerForAuthUser {
 
         # Get and save parameters
         my $oidc_request = {};
-        foreach my $param (qw/response_type scope client_id state redirect_uri/)
+        foreach
+          my $param (qw/response_type scope client_id state redirect_uri nonce/)
         {
             $oidc_request->{$param} = $self->getHiddenFormValue($param)
               || $self->param($param);
@@ -298,12 +299,33 @@ sub issuerForAuthUser {
             $self->setHiddenFormValue( $param, $oidc_request->{$param} );
         }
 
-        # TODO check all required parameters
-        # TODO validate parameters against OAuth 2.0 spec
+        # Detect requested flow
+        my $response_type = $oidc_request->{'response_type'};
 
-        # Authorization Code Flow
-        if ( $oidc_request->{'response_type'} eq "code" ) {
-            $self->lmLog( "OIDC auhtorization code flow requested", 'debug' );
+        my $response_types = {
+            "code"                => "authorizationcode",
+            "id_token"            => "implicit",
+            "id_token token"      => "implicit",
+            "code id_token"       => "hybrid",
+            "code token"          => "hybrid",
+            "code id_token token" => "hybrid",
+        };
+
+        my $flow = $response_types->{$response_type};
+
+        unless ($flow) {
+            $self->lmLog( "Unknown response type: $response_type", 'error' );
+            return PE_ERROR;
+        }
+        $self->lmLog(
+            "OIDC $flow flow requested (response type: $response_type)",
+            'debug' );
+
+        # TODO check all required parameters
+        if ( $flow eq "implicit" and not defined $oidc_request->{'nonce'} ) {
+            $self->lmLog( "Nonce is required for implicit flow", 'error' );
+            return PE_ERROR;
+        }
 
         # Check openid scope
         unless ( $oidc_request->{'scope'} =~ /\bopenid\b/ ) {
@@ -314,8 +336,7 @@ sub issuerForAuthUser {
         }
 
         # Check client_id
-            $self->lmLog(
-                "Request from client id " . $oidc_request->{'client_id'},
+        $self->lmLog( "Request from client id " . $oidc_request->{'client_id'},
             'debug' );
 
         # Verify that client_id is registered in configuration
@@ -331,11 +352,8 @@ sub issuerForAuthUser {
         }
         else {
             $self->lmLog(
-                    "Client id "
-                      . $oidc_request->{'client_id'}
-                      . " match RP $rp",
-                    'debug'
-                );
+                "Client id " . $oidc_request->{'client_id'} . " match RP $rp",
+                'debug' );
         }
 
         # Obtain consent
@@ -344,8 +362,7 @@ sub issuerForAuthUser {
             and $self->{sessionInfo}->{"_oidc_consent_scope_$rp"} )
         {
             $ask_for_consent = 0;
-                my $consent_time =
-                  $self->{sessionInfo}->{"_oidc_consent_time_$rp"};
+            my $consent_time = $self->{sessionInfo}->{"_oidc_consent_time_$rp"};
             my $consent_scope =
               $self->{sessionInfo}->{"_oidc_consent_scope_$rp"};
 
@@ -355,8 +372,8 @@ sub issuerForAuthUser {
             );
 
             # Check accepted scope
-                foreach my $requested_scope (
-                    split( /\s+/, $oidc_request->{'scope'} ) )
+            foreach
+              my $requested_scope ( split( /\s+/, $oidc_request->{'scope'} ) )
             {
                 if ( $consent_scope =~ /\b$requested_scope\b/ ) {
                     $self->lmLog( "Scope $requested_scope already accepted",
@@ -365,8 +382,7 @@ sub issuerForAuthUser {
                 else {
                     $self->lmLog(
                         "Scope $requested_scope was not previously accepted",
-                            'debug'
-                        );
+                        'debug' );
                     $ask_for_consent = 1;
                     last;
                 }
@@ -378,12 +394,10 @@ sub issuerForAuthUser {
                     { "_oidc_consent_time_$rp" => time } );
                 $self->updatePersistentSession(
                     {
-                            "_oidc_consent_scope_$rp" =>
-                              $oidc_request->{'scope'}
+                        "_oidc_consent_scope_$rp" => $oidc_request->{'scope'}
                     }
                 );
-                    $self->lmLog( "Consent given for Relying Party $rp",
-                        'debug' );
+                $self->lmLog( "Consent given for Relying Party $rp", 'debug' );
             }
             else {
                 $self->lmLog( "Obtain user consent for Relying Party $rp",
@@ -405,8 +419,7 @@ sub issuerForAuthUser {
                       . '" />' )
                   if $icon;
                 $self->info( '<h3>'
-                          . sprintf( $self->msg(PM_OIDC_CONSENT),
-                            $display_name )
+                      . sprintf( $self->msg(PM_OIDC_CONSENT), $display_name )
                       . '</h3>' );
                 $self->info('<ul>');
 
@@ -438,6 +451,9 @@ sub issuerForAuthUser {
             }
         }
 
+        # Authorization Code Flow
+        if ( $flow eq "authorizationcode" ) {
+
             # Generate code
             my $codeSession = $self->getOpenIDConnectSession();
             my $code        = $codeSession->id();
@@ -465,6 +481,25 @@ sub issuerForAuthUser {
 
             $self->_sub('autoRedirect');
         }
+
+        # Implicit Flow
+        if ( $flow eq "implicit" ) {
+
+            #TODO
+
+            return PE_ERROR;
+        }
+
+        # Hybrid Flow
+        if ( $flow eq "hybrid" ) {
+
+            #TODO
+
+            return PE_ERROR;
+        }
+
+        $self->lmLog( "No flow has been selected", 'debug' );
+        return PE_OK;
     }
 
     # TOKEN