Check max_age request parameter for authenticated user (#184)

2015-03-25 16:11:45 +00:00 · 2015-03-25 16:11:45 +00:00 · 46e3b460c1
commit 46e3b460c1
parent e1794d1be7
1 changed files with 20 additions and 3 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
@ -423,11 +423,28 @@ sub issuerForAuthUser {
            );
        }

-        my $prompt = $oidc_request->{'prompt'};
+        # Check if user needs to be reauthenticated
+        my $reauthentication = 0;
+        my $prompt           = $oidc_request->{'prompt'};
        if ( $prompt =~ /\blogin\b/ ) {
+            $self->lmLog(
+"Reauthentication requested by Relying Party in prompt parameter",
+                'debug'
+            );
+            $reauthentication = 1;
+        }

-            $self->lmLog( "Reauthentication requested by Relying Party",
-                'debug' );
+        my $max_age         = $oidc_request->{'max_age'};
+        my $_lastAuthnUTime = $self->{sessionInfo}->{_lastAuthnUTime};
+        if ( defined $max_age && time > $_lastAuthnUTime + $max_age ) {
+            $self->lmLog(
+"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)",
+                'debug'
+            );
+            $reauthentication = 1;
+        }
+
+        if ($reauthentication) {

            # Replay authentication process
            $self->{updateSession} = 1;