Skeleton to manage different OIDC response types (#184)
This commit is contained in:
parent
d3d282e7ba
commit
33bc52b619
@ -288,7 +288,8 @@ sub issuerForAuthUser {
|
||||
|
||||
# Get and save parameters
|
||||
my $oidc_request = {};
|
||||
foreach my $param (qw/response_type scope client_id state redirect_uri/)
|
||||
foreach
|
||||
my $param (qw/response_type scope client_id state redirect_uri nonce/)
|
||||
{
|
||||
$oidc_request->{$param} = $self->getHiddenFormValue($param)
|
||||
|| $self->param($param);
|
||||
@ -298,12 +299,33 @@ sub issuerForAuthUser {
|
||||
$self->setHiddenFormValue( $param, $oidc_request->{$param} );
|
||||
}
|
||||
|
||||
# TODO check all required parameters
|
||||
# TODO validate parameters against OAuth 2.0 spec
|
||||
# Detect requested flow
|
||||
my $response_type = $oidc_request->{'response_type'};
|
||||
|
||||
# Authorization Code Flow
|
||||
if ( $oidc_request->{'response_type'} eq "code" ) {
|
||||
$self->lmLog( "OIDC auhtorization code flow requested", 'debug' );
|
||||
my $response_types = {
|
||||
"code" => "authorizationcode",
|
||||
"id_token" => "implicit",
|
||||
"id_token token" => "implicit",
|
||||
"code id_token" => "hybrid",
|
||||
"code token" => "hybrid",
|
||||
"code id_token token" => "hybrid",
|
||||
};
|
||||
|
||||
my $flow = $response_types->{$response_type};
|
||||
|
||||
unless ($flow) {
|
||||
$self->lmLog( "Unknown response type: $response_type", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
$self->lmLog(
|
||||
"OIDC $flow flow requested (response type: $response_type)",
|
||||
'debug' );
|
||||
|
||||
# TODO check all required parameters
|
||||
if ( $flow eq "implicit" and not defined $oidc_request->{'nonce'} ) {
|
||||
$self->lmLog( "Nonce is required for implicit flow", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Check openid scope
|
||||
unless ( $oidc_request->{'scope'} =~ /\bopenid\b/ ) {
|
||||
@ -314,8 +336,7 @@ sub issuerForAuthUser {
|
||||
}
|
||||
|
||||
# Check client_id
|
||||
$self->lmLog(
|
||||
"Request from client id " . $oidc_request->{'client_id'},
|
||||
$self->lmLog( "Request from client id " . $oidc_request->{'client_id'},
|
||||
'debug' );
|
||||
|
||||
# Verify that client_id is registered in configuration
|
||||
@ -331,11 +352,8 @@ sub issuerForAuthUser {
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Client id "
|
||||
. $oidc_request->{'client_id'}
|
||||
. " match RP $rp",
|
||||
'debug'
|
||||
);
|
||||
"Client id " . $oidc_request->{'client_id'} . " match RP $rp",
|
||||
'debug' );
|
||||
}
|
||||
|
||||
# Obtain consent
|
||||
@ -344,8 +362,7 @@ sub issuerForAuthUser {
|
||||
and $self->{sessionInfo}->{"_oidc_consent_scope_$rp"} )
|
||||
{
|
||||
$ask_for_consent = 0;
|
||||
my $consent_time =
|
||||
$self->{sessionInfo}->{"_oidc_consent_time_$rp"};
|
||||
my $consent_time = $self->{sessionInfo}->{"_oidc_consent_time_$rp"};
|
||||
my $consent_scope =
|
||||
$self->{sessionInfo}->{"_oidc_consent_scope_$rp"};
|
||||
|
||||
@ -355,8 +372,8 @@ sub issuerForAuthUser {
|
||||
);
|
||||
|
||||
# Check accepted scope
|
||||
foreach my $requested_scope (
|
||||
split( /\s+/, $oidc_request->{'scope'} ) )
|
||||
foreach
|
||||
my $requested_scope ( split( /\s+/, $oidc_request->{'scope'} ) )
|
||||
{
|
||||
if ( $consent_scope =~ /\b$requested_scope\b/ ) {
|
||||
$self->lmLog( "Scope $requested_scope already accepted",
|
||||
@ -364,9 +381,8 @@ sub issuerForAuthUser {
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Scope $requested_scope was not previously accepted",
|
||||
'debug'
|
||||
);
|
||||
"Scope $requested_scope was not previously accepted",
|
||||
'debug' );
|
||||
$ask_for_consent = 1;
|
||||
last;
|
||||
}
|
||||
@ -378,12 +394,10 @@ sub issuerForAuthUser {
|
||||
{ "_oidc_consent_time_$rp" => time } );
|
||||
$self->updatePersistentSession(
|
||||
{
|
||||
"_oidc_consent_scope_$rp" =>
|
||||
$oidc_request->{'scope'}
|
||||
"_oidc_consent_scope_$rp" => $oidc_request->{'scope'}
|
||||
}
|
||||
);
|
||||
$self->lmLog( "Consent given for Relying Party $rp",
|
||||
'debug' );
|
||||
$self->lmLog( "Consent given for Relying Party $rp", 'debug' );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Obtain user consent for Relying Party $rp",
|
||||
@ -405,8 +419,7 @@ sub issuerForAuthUser {
|
||||
. '" />' )
|
||||
if $icon;
|
||||
$self->info( '<h3>'
|
||||
. sprintf( $self->msg(PM_OIDC_CONSENT),
|
||||
$display_name )
|
||||
. sprintf( $self->msg(PM_OIDC_CONSENT), $display_name )
|
||||
. '</h3>' );
|
||||
$self->info('<ul>');
|
||||
|
||||
@ -438,6 +451,9 @@ sub issuerForAuthUser {
|
||||
}
|
||||
}
|
||||
|
||||
# Authorization Code Flow
|
||||
if ( $flow eq "authorizationcode" ) {
|
||||
|
||||
# Generate code
|
||||
my $codeSession = $self->getOpenIDConnectSession();
|
||||
my $code = $codeSession->id();
|
||||
@ -465,6 +481,25 @@ sub issuerForAuthUser {
|
||||
|
||||
$self->_sub('autoRedirect');
|
||||
}
|
||||
|
||||
# Implicit Flow
|
||||
if ( $flow eq "implicit" ) {
|
||||
|
||||
#TODO
|
||||
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Hybrid Flow
|
||||
if ( $flow eq "hybrid" ) {
|
||||
|
||||
#TODO
|
||||
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "No flow has been selected", 'debug' );
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
# TOKEN
|
||||
|
Loading…
Reference in New Issue
Block a user