Use distinct error codes in Auth::OIDC (#2558)

2021-07-27 09:02:19 +02:00 · 2021-07-27 09:02:19 +02:00 · 35b3cb8c28
commit 35b3cb8c28
parent d8eb44a5ab
1 changed files with 11 additions and 11 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm
@ -6,7 +6,7 @@ use MIME::Base64 qw/encode_base64 decode_base64/;
 use Lemonldap::NG::Common::JWT qw(getJWTPayload);
 use Lemonldap::NG::Portal::Main::Constants qw(
  PE_OK
-  PE_ERROR
+  PE_OIDC_AUTH_ERROR
  PE_IDPCHOICE
 );

@ -110,7 +110,7 @@ sub extractFormInfo {
            }
            else {
                $self->userLogger->error("Unable to extract state $state");
-                return PE_ERROR;
+                return PE_OIDC_AUTH_ERROR;
            }
        }

@ -119,7 +119,7 @@ sub extractFormInfo {

        unless ($op) {
            $self->userLogger->error("OpenID Provider not found");
-            return PE_ERROR;
+            return PE_OIDC_AUTH_ERROR;
        }

        $self->logger->debug("Using OpenID Provider $op");
@ -135,7 +135,7 @@ sub extractFormInfo {
              if $error_description;
            $self->logger->error("Error URI: $error_uri") if $error_uri;

-            return PE_ERROR;
+            return PE_OIDC_AUTH_ERROR;
        }

        # Get access_token and id_token
@ -148,19 +148,19 @@ sub extractFormInfo {
        my $content =
          $self->getAuthorizationCodeAccessToken( $req, $op, $code,
            $auth_method );
-        return PE_ERROR unless $content;
+        return PE_OIDC_AUTH_ERROR unless $content;

        my $token_response = $self->decodeTokenResponse($content);

        unless ($token_response) {
            $self->logger->error("Could not decode Token Response: $content");
-            return PE_ERROR;
+            return PE_OIDC_AUTH_ERROR;
        }

        # Check validity of token response
        unless ( $self->checkTokenResponseValidity($token_response) ) {
            $self->logger->error("Token response is not valid");
-            return PE_ERROR;
+            return PE_OIDC_AUTH_ERROR;
        }
        else {
            $self->logger->debug("Token response is valid");
@ -178,7 +178,7 @@ sub extractFormInfo {
        {
            unless ( $self->verifyJWTSignature( $id_token, $op ) ) {
                $self->logger->error("JWT signature verification failed");
-                return PE_ERROR;
+                return PE_OIDC_AUTH_ERROR;
            }
            $self->logger->debug("JWT signature verified");
        }
@ -190,7 +190,7 @@ sub extractFormInfo {
        unless ( defined $id_token_payload_hash ) {
            $self->logger->error(
                "Could not decode incoming ID token: $id_token");
-            return PE_ERROR;
+            return PE_OIDC_AUTH_ERROR;
        }

        # Check validity of Access Token (optional)
@ -199,7 +199,7 @@ sub extractFormInfo {
            unless ( $self->verifyHash( $access_token, $at_hash, $id_token ) ) {
                $self->userLogger->error(
                    "Access token hash verification failed");
-                return PE_ERROR;
+                return PE_OIDC_AUTH_ERROR;
            }
            $self->logger->debug("Access token hash verified");
        }
@ -211,7 +211,7 @@ sub extractFormInfo {
        # Check validity of ID Token
        unless ( $self->checkIDTokenValidity( $op, $id_token_payload_hash ) ) {
            $self->userLogger->error('ID Token not valid');
-            return PE_ERROR;
+            return PE_OIDC_AUTH_ERROR;
        }
        else {
            $self->logger->debug('ID Token is valid');