Port option to store ID token in trunk (#1083)

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -160,6 +160,7 @@ sub defaultValues {
         'oidcOPMetaDataOptionsJWKSTimeout'             => 0,
         'oidcOPMetaDataOptionsMaxAge'                  => 0,
         'oidcOPMetaDataOptionsScope'                   => 'openid profile',
+        'oidcOPMetaDataOptionsStoreIDToken'            => 0,
         'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => 'client_secret_post',
         'oidcOPMetaDataOptionsUseNonce'                => 1,
         'oidcRPCallbackGetParam'     => 'openidconnectcallback',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -1483,6 +1483,10 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
             'default' => 'openid profile',
             'type'    => 'text'
         },
+        'oidcOPMetaDataOptionsStoreIDToken' => {
+            'default' => 0,
+            'type'    => 'bool'
+        },
         'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => {
             'default' => 'client_secret_post',
             'select'  => [

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -2376,8 +2376,9 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
           { type => 'bool', default => 1 },
         oidcOPMetaDataOptionsIDTokenMaxAge => { type => 'int',  default => 30 },
         oidcOPMetaDataOptionsUseNonce      => { type => 'bool', default => 1 },
-        oidcOPMetaDataOptionsDisplayName => { type => 'text', },
-        oidcOPMetaDataOptionsIcon        => { type => 'text', },
+        oidcOPMetaDataOptionsDisplayName  => { type => 'text', },
+        oidcOPMetaDataOptionsIcon         => { type => 'text', },
+        oidcOPMetaDataOptionsStoreIDToken => { type => 'bool', default => 0 },
 
         # OpenID Connect relying parties
         oidcRPMetaDataExportedVars => {

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm

@@ -136,7 +136,8 @@ sub cTrees {
                             'oidcOPMetaDataOptionsConfigurationURI',
                             'oidcOPMetaDataOptionsJWKSTimeout',
                             'oidcOPMetaDataOptionsClientID',
-                            'oidcOPMetaDataOptionsClientSecret'
+                            'oidcOPMetaDataOptionsClientSecret',
+                            'oidcOPMetaDataOptionsStoreIDToken'
                         ]
                     },
                     {

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Constants.pm

@@ -24,7 +24,7 @@ our @sessionTypes = ( 'captcha', 'remoteGlobal', 'cas', 'global', 'localSession'
 our $doubleHashKeys = 'issuerDBGetParameters';
 our $simpleHashKeys = '(?:(?:g(?:r(?:antSessionRule|oup)|lobalStorageOption|oogleExportedVar)|l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar)|ca(?:s(?:StorageOption|Attribute)|ptchaStorageOption)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|p(?:ersistentStorageOption|ortalSkinRule)|re(?:moteGlobalStorageOption|loadUrl)|notificationStorageOption|CASproxiedService|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:uthChoiceModules|pplicationList))';
 our $specialNodeKeys = '(?:(?:saml(?:ID|S)|oidc[OR])PMetaDataNode|virtualHost)s';
-our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|(?:MaxAg|Scop)e|AcrValues)|ExportedVars|J(?:SON|WKS))';
+our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|S(?:toreIDToken|cope)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
 our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:I(?:DToken(?:Expiration|SignAlg)|con)|(?:RedirectUri|ExtraClaim)s|AccessTokenExpiration|Client(?:Secret|ID)|DisplayName|UserIDAttr)|ExportedVars)';
 our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding)|Check(?:S[LS]OMessageSignature|Conditions)|Re(?:questedAuthnContext|solutionRule)|(?:EncryptionMod|IsPassiv)e|Force(?:Authn|UTF8)|NameIDFormat)|ExportedAttributes|XML)';
 our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|En(?:ableIDPInitiatedURL|cryptionMode)|ForceUTF8)|ExportedAttributes|XML)';

lemonldap-ng-manager/site/static/js/conftree.js

@@ -80,6 +80,13 @@ function templates(tpl,key) {
                   "id" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientSecret",
                   "title" : "oidcOPMetaDataOptionsClientSecret",
                   "type" : "password"
+               },
+               {
+                  "default" : 0,
+                  "get" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsStoreIDToken",
+                  "id" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsStoreIDToken",
+                  "title" : "oidcOPMetaDataOptionsStoreIDToken",
+                  "type" : "bool"
                }
             ],
             "id" : "oidcOPMetaDataOptionsConfiguration",

lemonldap-ng-manager/site/static/languages/en.json

@@ -394,6 +394,7 @@
 "oidcOPMetaDataOptionsJWKSTimeout": "JWKS data timeout",
 "oidcOPMetaDataOptionsProtocol": "Protocol",
 "oidcOPMetaDataOptionsScope": "Scope",
+"oidcOPMetaDataOptionsStoreIDToken": "Store ID Token",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod": "Token endpoint authentication method",
 "oidcOPName": "OpenID Connect Provider Name",
 "oidcParams": "OpenID Connect parameters",

lemonldap-ng-manager/site/static/languages/fr.json

@@ -394,6 +394,7 @@
 "oidcOPMetaDataOptionsJWKSTimeout": "Durée de vie des données JWKS",
 "oidcOPMetaDataOptionsProtocol": "Protocole",
 "oidcOPMetaDataOptionsScope": "Étendue",
+"oidcOPMetaDataOptionsStoreIDToken": "Conserver le jeton d'identité",
 "oidcOPMetaDataOptionsTokenEndpointAuthMethod": "Méthode d'authentification pour l'accès aux jetons",
 "oidcOPName": "Nom du fournisseur OpenID Connect",
 "oidcParams": "Paramètres OpenID Connect",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthOpenIDConnect.pm

@@ -29,14 +29,27 @@ sub authInit {
 # @return Lemonldap::NG::Portal constant
 sub setAuthSessionInfo {
     my $self = shift;
+    my $op   = $self->{_oidcOPCurrent};
 
     $self->{sessionInfo}->{'_user'} = $self->{user};
     $self->{sessionInfo}->{authenticationLevel} = $self->{oidcAuthnLevel};
 
-    $self->{sessionInfo}->{OpenIDConnect_OP} = $self->{_oidcOPCurrent};
+    $self->{sessionInfo}->{OpenIDConnect_OP} = $op;
     $self->{sessionInfo}->{OpenIDConnect_access_token} =
       $self->{tmp}->{access_token};
-    $self->{sessionInfo}->{OpenIDConnect_IDToken} = $self->{tmp}->{id_token};
+
+    # Keep ID Token in session
+    my $store_IDToken =
+      $self->{oidcOPMetaDataOptions}->{$op}
+      ->{oidcOPMetaDataOptionsStoreIDToken};
+    if ($store_IDToken) {
+        $self->lmLog( "Store ID Token in session", 'debug' );
+        $self->{sessionInfo}->{OpenIDConnect_IDToken} =
+          $self->{tmp}->{id_token};
+    }
+    else {
+        $self->lmLog( "ID Token will not be stored in session", 'debug' );
+    }
 
     PE_OK;
 }