Use distinct error codes in Auth::OIDC (#2558)
This commit is contained in:
Maxime Besson
parent
d8eb44a5ab
commit
35b3cb8c28
|
|
@ -6,7 +6,7 @@ use MIME::Base64 qw/encode_base64 decode_base64/;
|
||||||
use Lemonldap::NG::Common::JWT qw(getJWTPayload);
|
use Lemonldap::NG::Common::JWT qw(getJWTPayload);
|
||||||
use Lemonldap::NG::Portal::Main::Constants qw(
|
use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
PE_OK
|
PE_OK
|
||||||
PE_ERROR
|
PE_OIDC_AUTH_ERROR
|
||||||
PE_IDPCHOICE
|
PE_IDPCHOICE
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|
@ -110,7 +110,7 @@ sub extractFormInfo {
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->userLogger->error("Unable to extract state $state");
|
$self->userLogger->error("Unable to extract state $state");
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -119,7 +119,7 @@ sub extractFormInfo {
|
||||||
|
|
||||||
unless ($op) {
|
unless ($op) {
|
||||||
$self->userLogger->error("OpenID Provider not found");
|
$self->userLogger->error("OpenID Provider not found");
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
$self->logger->debug("Using OpenID Provider $op");
|
$self->logger->debug("Using OpenID Provider $op");
|
||||||
|
|
@ -135,7 +135,7 @@ sub extractFormInfo {
|
||||||
if $error_description;
|
if $error_description;
|
||||||
$self->logger->error("Error URI: $error_uri") if $error_uri;
|
$self->logger->error("Error URI: $error_uri") if $error_uri;
|
||||||
|
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Get access_token and id_token
|
# Get access_token and id_token
|
||||||
|
|
@ -148,19 +148,19 @@ sub extractFormInfo {
|
||||||
my $content =
|
my $content =
|
||||||
$self->getAuthorizationCodeAccessToken( $req, $op, $code,
|
$self->getAuthorizationCodeAccessToken( $req, $op, $code,
|
||||||
$auth_method );
|
$auth_method );
|
||||||
return PE_ERROR unless $content;
|
return PE_OIDC_AUTH_ERROR unless $content;
|
||||||
|
|
||||||
my $token_response = $self->decodeTokenResponse($content);
|
my $token_response = $self->decodeTokenResponse($content);
|
||||||
|
|
||||||
unless ($token_response) {
|
unless ($token_response) {
|
||||||
$self->logger->error("Could not decode Token Response: $content");
|
$self->logger->error("Could not decode Token Response: $content");
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Check validity of token response
|
# Check validity of token response
|
||||||
unless ( $self->checkTokenResponseValidity($token_response) ) {
|
unless ( $self->checkTokenResponseValidity($token_response) ) {
|
||||||
$self->logger->error("Token response is not valid");
|
$self->logger->error("Token response is not valid");
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->logger->debug("Token response is valid");
|
$self->logger->debug("Token response is valid");
|
||||||
|
|
@ -178,7 +178,7 @@ sub extractFormInfo {
|
||||||
{
|
{
|
||||||
unless ( $self->verifyJWTSignature( $id_token, $op ) ) {
|
unless ( $self->verifyJWTSignature( $id_token, $op ) ) {
|
||||||
$self->logger->error("JWT signature verification failed");
|
$self->logger->error("JWT signature verification failed");
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
$self->logger->debug("JWT signature verified");
|
$self->logger->debug("JWT signature verified");
|
||||||
}
|
}
|
||||||
|
|
@ -190,7 +190,7 @@ sub extractFormInfo {
|
||||||
unless ( defined $id_token_payload_hash ) {
|
unless ( defined $id_token_payload_hash ) {
|
||||||
$self->logger->error(
|
$self->logger->error(
|
||||||
"Could not decode incoming ID token: $id_token");
|
"Could not decode incoming ID token: $id_token");
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Check validity of Access Token (optional)
|
# Check validity of Access Token (optional)
|
||||||
|
|
@ -199,7 +199,7 @@ sub extractFormInfo {
|
||||||
unless ( $self->verifyHash( $access_token, $at_hash, $id_token ) ) {
|
unless ( $self->verifyHash( $access_token, $at_hash, $id_token ) ) {
|
||||||
$self->userLogger->error(
|
$self->userLogger->error(
|
||||||
"Access token hash verification failed");
|
"Access token hash verification failed");
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
$self->logger->debug("Access token hash verified");
|
$self->logger->debug("Access token hash verified");
|
||||||
}
|
}
|
||||||
|
|
@ -211,7 +211,7 @@ sub extractFormInfo {
|
||||||
# Check validity of ID Token
|
# Check validity of ID Token
|
||||||
unless ( $self->checkIDTokenValidity( $op, $id_token_payload_hash ) ) {
|
unless ( $self->checkIDTokenValidity( $op, $id_token_payload_hash ) ) {
|
||||||
$self->userLogger->error('ID Token not valid');
|
$self->userLogger->error('ID Token not valid');
|
||||||
return PE_ERROR;
|
return PE_OIDC_AUTH_ERROR;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->logger->debug('ID Token is valid');
|
$self->logger->debug('ID Token is valid');
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user