From 495da0dde547359645b5050a6069177f04e13594 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= Date: Wed, 11 Mar 2015 13:53:58 +0000 Subject: [PATCH] Check accepted scope in consent step (#184) --- .../NG/Portal/IssuerDBOpenIDConnect.pm | 45 ++++++++++++++++--- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm index 66ef78ed6..3d4b45b69 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm @@ -335,14 +335,49 @@ sub issuerForAuthUser { } # Obtain consent - if ( $self->{sessionInfo}->{"_oidc_consent_$rp"} ) { - $self->lmLog( "Consent already given for Relaying Party $rp", - 'debug' ); + my $ask_for_consent = 1; + if ( $self->{sessionInfo}->{"_oidc_consent_time_$rp"} + and $self->{sessionInfo}->{"_oidc_consent_scope_$rp"} ) + { + $ask_for_consent = 0; + my $consent_time = + $self->{sessionInfo}->{"_oidc_consent_time_$rp"}; + my $consent_scope = + $self->{sessionInfo}->{"_oidc_consent_scope_$rp"}; + + $self->lmLog( +"Consent already given for Relaying Party $rp (time: $consent_time, scope: $consent_scope)", + 'debug' + ); + + # Check accepted scope + foreach my $requested_scope ( + split( /\s+/, $oidc_request->{'scope'} ) ) + { + if ( $consent_scope =~ /\b$requested_scope\b/ ) { + $self->lmLog( "Scope $requested_scope already accepted", + 'debug' ); + } + else { + $self->lmLog( +"Scope $requested_scope was not previously accepted", + 'debug' + ); + $ask_for_consent = 1; + last; + } + } } - else { + if ($ask_for_consent) { if ( $self->param('confirm') == 1 ) { $self->updatePersistentSession( - { "_oidc_consent_$rp" => time } ); + { "_oidc_consent_time_$rp" => time } ); + $self->updatePersistentSession( + { + "_oidc_consent_scope_$rp" => + $oidc_request->{'scope'} + } + ); $self->lmLog( "Consent given for Relaying Party $rp", 'debug' ); }