Port option to store ID token in trunk (#1083)
This commit is contained in:
parent
5d2be9a418
commit
47c227246b
|
@ -160,6 +160,7 @@ sub defaultValues {
|
||||||
'oidcOPMetaDataOptionsJWKSTimeout' => 0,
|
'oidcOPMetaDataOptionsJWKSTimeout' => 0,
|
||||||
'oidcOPMetaDataOptionsMaxAge' => 0,
|
'oidcOPMetaDataOptionsMaxAge' => 0,
|
||||||
'oidcOPMetaDataOptionsScope' => 'openid profile',
|
'oidcOPMetaDataOptionsScope' => 'openid profile',
|
||||||
|
'oidcOPMetaDataOptionsStoreIDToken' => 0,
|
||||||
'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => 'client_secret_post',
|
'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => 'client_secret_post',
|
||||||
'oidcOPMetaDataOptionsUseNonce' => 1,
|
'oidcOPMetaDataOptionsUseNonce' => 1,
|
||||||
'oidcRPCallbackGetParam' => 'openidconnectcallback',
|
'oidcRPCallbackGetParam' => 'openidconnectcallback',
|
||||||
|
|
|
@ -1483,6 +1483,10 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
||||||
'default' => 'openid profile',
|
'default' => 'openid profile',
|
||||||
'type' => 'text'
|
'type' => 'text'
|
||||||
},
|
},
|
||||||
|
'oidcOPMetaDataOptionsStoreIDToken' => {
|
||||||
|
'default' => 0,
|
||||||
|
'type' => 'bool'
|
||||||
|
},
|
||||||
'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => {
|
'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => {
|
||||||
'default' => 'client_secret_post',
|
'default' => 'client_secret_post',
|
||||||
'select' => [
|
'select' => [
|
||||||
|
|
|
@ -2378,6 +2378,7 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
||||||
oidcOPMetaDataOptionsUseNonce => { type => 'bool', default => 1 },
|
oidcOPMetaDataOptionsUseNonce => { type => 'bool', default => 1 },
|
||||||
oidcOPMetaDataOptionsDisplayName => { type => 'text', },
|
oidcOPMetaDataOptionsDisplayName => { type => 'text', },
|
||||||
oidcOPMetaDataOptionsIcon => { type => 'text', },
|
oidcOPMetaDataOptionsIcon => { type => 'text', },
|
||||||
|
oidcOPMetaDataOptionsStoreIDToken => { type => 'bool', default => 0 },
|
||||||
|
|
||||||
# OpenID Connect relying parties
|
# OpenID Connect relying parties
|
||||||
oidcRPMetaDataExportedVars => {
|
oidcRPMetaDataExportedVars => {
|
||||||
|
|
|
@ -136,7 +136,8 @@ sub cTrees {
|
||||||
'oidcOPMetaDataOptionsConfigurationURI',
|
'oidcOPMetaDataOptionsConfigurationURI',
|
||||||
'oidcOPMetaDataOptionsJWKSTimeout',
|
'oidcOPMetaDataOptionsJWKSTimeout',
|
||||||
'oidcOPMetaDataOptionsClientID',
|
'oidcOPMetaDataOptionsClientID',
|
||||||
'oidcOPMetaDataOptionsClientSecret'
|
'oidcOPMetaDataOptionsClientSecret',
|
||||||
|
'oidcOPMetaDataOptionsStoreIDToken'
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -24,7 +24,7 @@ our @sessionTypes = ( 'captcha', 'remoteGlobal', 'cas', 'global', 'localSession'
|
||||||
our $doubleHashKeys = 'issuerDBGetParameters';
|
our $doubleHashKeys = 'issuerDBGetParameters';
|
||||||
our $simpleHashKeys = '(?:(?:g(?:r(?:antSessionRule|oup)|lobalStorageOption|oogleExportedVar)|l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar)|ca(?:s(?:StorageOption|Attribute)|ptchaStorageOption)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|p(?:ersistentStorageOption|ortalSkinRule)|re(?:moteGlobalStorageOption|loadUrl)|notificationStorageOption|CASproxiedService|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:uthChoiceModules|pplicationList))';
|
our $simpleHashKeys = '(?:(?:g(?:r(?:antSessionRule|oup)|lobalStorageOption|oogleExportedVar)|l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar)|ca(?:s(?:StorageOption|Attribute)|ptchaStorageOption)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|p(?:ersistentStorageOption|ortalSkinRule)|re(?:moteGlobalStorageOption|loadUrl)|notificationStorageOption|CASproxiedService|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:uthChoiceModules|pplicationList))';
|
||||||
our $specialNodeKeys = '(?:(?:saml(?:ID|S)|oidc[OR])PMetaDataNode|virtualHost)s';
|
our $specialNodeKeys = '(?:(?:saml(?:ID|S)|oidc[OR])PMetaDataNode|virtualHost)s';
|
||||||
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|(?:MaxAg|Scop)e|AcrValues)|ExportedVars|J(?:SON|WKS))';
|
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|S(?:toreIDToken|cope)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
|
||||||
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:I(?:DToken(?:Expiration|SignAlg)|con)|(?:RedirectUri|ExtraClaim)s|AccessTokenExpiration|Client(?:Secret|ID)|DisplayName|UserIDAttr)|ExportedVars)';
|
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:I(?:DToken(?:Expiration|SignAlg)|con)|(?:RedirectUri|ExtraClaim)s|AccessTokenExpiration|Client(?:Secret|ID)|DisplayName|UserIDAttr)|ExportedVars)';
|
||||||
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding)|Check(?:S[LS]OMessageSignature|Conditions)|Re(?:questedAuthnContext|solutionRule)|(?:EncryptionMod|IsPassiv)e|Force(?:Authn|UTF8)|NameIDFormat)|ExportedAttributes|XML)';
|
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding)|Check(?:S[LS]OMessageSignature|Conditions)|Re(?:questedAuthnContext|solutionRule)|(?:EncryptionMod|IsPassiv)e|Force(?:Authn|UTF8)|NameIDFormat)|ExportedAttributes|XML)';
|
||||||
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|En(?:ableIDPInitiatedURL|cryptionMode)|ForceUTF8)|ExportedAttributes|XML)';
|
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|En(?:ableIDPInitiatedURL|cryptionMode)|ForceUTF8)|ExportedAttributes|XML)';
|
||||||
|
|
|
@ -80,6 +80,13 @@ function templates(tpl,key) {
|
||||||
"id" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientSecret",
|
"id" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientSecret",
|
||||||
"title" : "oidcOPMetaDataOptionsClientSecret",
|
"title" : "oidcOPMetaDataOptionsClientSecret",
|
||||||
"type" : "password"
|
"type" : "password"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"default" : 0,
|
||||||
|
"get" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsStoreIDToken",
|
||||||
|
"id" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsStoreIDToken",
|
||||||
|
"title" : "oidcOPMetaDataOptionsStoreIDToken",
|
||||||
|
"type" : "bool"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"id" : "oidcOPMetaDataOptionsConfiguration",
|
"id" : "oidcOPMetaDataOptionsConfiguration",
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -394,6 +394,7 @@
|
||||||
"oidcOPMetaDataOptionsJWKSTimeout": "JWKS data timeout",
|
"oidcOPMetaDataOptionsJWKSTimeout": "JWKS data timeout",
|
||||||
"oidcOPMetaDataOptionsProtocol": "Protocol",
|
"oidcOPMetaDataOptionsProtocol": "Protocol",
|
||||||
"oidcOPMetaDataOptionsScope": "Scope",
|
"oidcOPMetaDataOptionsScope": "Scope",
|
||||||
|
"oidcOPMetaDataOptionsStoreIDToken": "Store ID Token",
|
||||||
"oidcOPMetaDataOptionsTokenEndpointAuthMethod": "Token endpoint authentication method",
|
"oidcOPMetaDataOptionsTokenEndpointAuthMethod": "Token endpoint authentication method",
|
||||||
"oidcOPName": "OpenID Connect Provider Name",
|
"oidcOPName": "OpenID Connect Provider Name",
|
||||||
"oidcParams": "OpenID Connect parameters",
|
"oidcParams": "OpenID Connect parameters",
|
||||||
|
|
|
@ -394,6 +394,7 @@
|
||||||
"oidcOPMetaDataOptionsJWKSTimeout": "Durée de vie des données JWKS",
|
"oidcOPMetaDataOptionsJWKSTimeout": "Durée de vie des données JWKS",
|
||||||
"oidcOPMetaDataOptionsProtocol": "Protocole",
|
"oidcOPMetaDataOptionsProtocol": "Protocole",
|
||||||
"oidcOPMetaDataOptionsScope": "Étendue",
|
"oidcOPMetaDataOptionsScope": "Étendue",
|
||||||
|
"oidcOPMetaDataOptionsStoreIDToken": "Conserver le jeton d'identité",
|
||||||
"oidcOPMetaDataOptionsTokenEndpointAuthMethod": "Méthode d'authentification pour l'accès aux jetons",
|
"oidcOPMetaDataOptionsTokenEndpointAuthMethod": "Méthode d'authentification pour l'accès aux jetons",
|
||||||
"oidcOPName": "Nom du fournisseur OpenID Connect",
|
"oidcOPName": "Nom du fournisseur OpenID Connect",
|
||||||
"oidcParams": "Paramètres OpenID Connect",
|
"oidcParams": "Paramètres OpenID Connect",
|
||||||
|
|
|
@ -29,14 +29,27 @@ sub authInit {
|
||||||
# @return Lemonldap::NG::Portal constant
|
# @return Lemonldap::NG::Portal constant
|
||||||
sub setAuthSessionInfo {
|
sub setAuthSessionInfo {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
|
my $op = $self->{_oidcOPCurrent};
|
||||||
|
|
||||||
$self->{sessionInfo}->{'_user'} = $self->{user};
|
$self->{sessionInfo}->{'_user'} = $self->{user};
|
||||||
$self->{sessionInfo}->{authenticationLevel} = $self->{oidcAuthnLevel};
|
$self->{sessionInfo}->{authenticationLevel} = $self->{oidcAuthnLevel};
|
||||||
|
|
||||||
$self->{sessionInfo}->{OpenIDConnect_OP} = $self->{_oidcOPCurrent};
|
$self->{sessionInfo}->{OpenIDConnect_OP} = $op;
|
||||||
$self->{sessionInfo}->{OpenIDConnect_access_token} =
|
$self->{sessionInfo}->{OpenIDConnect_access_token} =
|
||||||
$self->{tmp}->{access_token};
|
$self->{tmp}->{access_token};
|
||||||
$self->{sessionInfo}->{OpenIDConnect_IDToken} = $self->{tmp}->{id_token};
|
|
||||||
|
# Keep ID Token in session
|
||||||
|
my $store_IDToken =
|
||||||
|
$self->{oidcOPMetaDataOptions}->{$op}
|
||||||
|
->{oidcOPMetaDataOptionsStoreIDToken};
|
||||||
|
if ($store_IDToken) {
|
||||||
|
$self->lmLog( "Store ID Token in session", 'debug' );
|
||||||
|
$self->{sessionInfo}->{OpenIDConnect_IDToken} =
|
||||||
|
$self->{tmp}->{id_token};
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$self->lmLog( "ID Token will not be stored in session", 'debug' );
|
||||||
|
}
|
||||||
|
|
||||||
PE_OK;
|
PE_OK;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user