dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'refresh' into 'v2.0'

Browse Source 
Add OIDC offline sessions and refresh tokens

See merge request lemonldap-ng/lemonldap-ng!100
This commit is contained in:
Maxime Besson 2019-11-04 11:27:31 +01:00
commit 5b2e6f7d9f
44 changed files with 1482 additions and 267 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
View File

@ -24,7 +24,7 @@ use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|br(?:owsersDontStorePassword|uteForceProtection)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Re(?:freshToken|quirePKCE)|LogoutSessionRequired|BypassConsent|AllowOffline|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|br(?:owsersDontStorePassword|uteForceProtection)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

20
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -166,14 +166,17 @@ sub defaultValues {
'notificationStorageOptions' => {
'dirName' => '/var/lib/lemonldap-ng/notifications'
},
'notificationWildcard' => 'allusers',
'notifyDeleted' => 1,
'nullAuthnLevel' => 0,
'oidcAuthnLevel' => 1,
'oidcRPCallbackGetParam' => 'openidconnectcallback',
'oidcRPStateTimeout' => 600,
'oidcServiceAllowAuthorizationCodeFlow' => 1,
'oidcServiceMetaDataAuthnContext' => {
'notificationWildcard' => 'allusers',
'notifyDeleted' => 1,
'nullAuthnLevel' => 0,
'oidcAuthnLevel' => 1,
'oidcRPCallbackGetParam' => 'openidconnectcallback',
'oidcRPStateTimeout' => 600,
'oidcServiceAccessTokenExpiration' => 3600,
'oidcServiceAllowAuthorizationCodeFlow' => 1,
'oidcServiceAuthorizationCodeExpiration' => 60,
'oidcServiceIDTokenExpiration' => 3600,
'oidcServiceMetaDataAuthnContext' => {
'loa-1' => 1,
'loa-2' => 2,
'loa-3' => 3,
@ -190,6 +193,7 @@ sub defaultValues {
'oidcServiceMetaDataRegistrationURI' => 'register',
'oidcServiceMetaDataTokenURI' => 'token',
'oidcServiceMetaDataUserInfoURI' => 'userinfo',
'oidcServiceOfflineSessionExpiration' => 2592000,
'openIdAuthnLevel' => 1,
'openIdExportedVars' => {},
'openIdIDPList' => '0;',

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
View File

@ -27,7 +27,7 @@ our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaData
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:UserAttribut|Servic|Rul)e|ExportedVars)';
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:I(?:DToken(?:Expiration|SignAlg)|con)|Logout(?:SessionRequired|Type|Url)|R(?:e(?:directUris|quirePKCE)|ule)|P(?:ostLogoutRedirectUris|ublic)|AccessTokenExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|ExportedVars)';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:(?:uthorizationCode|ccessToken)Expiration|llowOffline)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|I(?:DToken(?:Expiration|SignAlg)|con)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|ExportedVars)';
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|ForceUTF8)|ExportedAttributes|XML)';
our $virtualHostKeys = '(?:vhost(?:A(?:uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';
@ -68,6 +68,6 @@ our $issuerParameters = {
issuerOptions => [qw(issuersTimeout)],
};
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive samlOverrideIDPEntityID)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataIntrospectionURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataIntrospectionURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcServiceAuthorizationCodeExpiration oidcServiceAccessTokenExpiration oidcServiceIDTokenExpiration oidcServiceOfflineSessionExpiration oidcStorage oidcStorageOptions)];
1;

7
lemonldap-ng-common/lib/Lemonldap/NG/Common/Session/REST.pm
View File

@ -24,6 +24,13 @@ sub setTypes {
( $type eq 'global' ? 'SSO' : ucfirst($type) );
}
}
my $offlinebackend = $self->{sessionTypes}->{oidc} ? 'oidc' : 'global';
$self->{sessionTypes}->{offline}->{module} =
$self->{sessionTypes}->{$offlinebackend}->{module};
$self->{sessionTypes}->{offline}->{options} =
$self->{sessionTypes}->{$offlinebackend}->{options};
$self->{sessionTypes}->{offline}->{kind} = "OIDCI";
}
sub separator {

63
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm
View File

@ -4,6 +4,60 @@ use strict;
our $VERSION = '2.0.4';
sub retrieveSession {
my ( $class, $req, $id ) = @_;
my ($offlineId) = $id =~ /^O-(.*)/;
# Retrieve regular session if this is not an offline access token
unless ($offlineId) {
return $class->Lemonldap::NG::Handler::Main::retrieveSession( $req,
$id );
}
# 2. Get the session from cache or backend
my $session = $req->data->{session} = (
Lemonldap::NG::Common::Session->new( {
storageModule => $class->tsv->{oidcStorageModule},
storageModuleOptions => $class->tsv->{oidcStorageOptions},
cacheModule => $class->tsv->{sessionCacheModule},
cacheModuleOptions => $class->tsv->{sessionCacheOptions},
id => $offlineId,
kind => "OIDCI",
}
)
);
unless ( $session->error ) {
$class->data( $session->data );
$class->logger->debug("Get session $offlineId from Handler::Main::Run");
# Verify that session is valid
$class->logger->error(
"_utime is not defined. This should not happen. Check if it is well transmitted to handler"
) unless $session->data->{_utime};
my $ttl = $class->tsv->{timeout} - time + $session->data->{_utime};
$class->logger->debug( "Session TTL = " . $ttl );
if ( time - $session->data->{_utime} > $class->tsv->{timeout} ) {
$class->logger->info("Session $id expired");
# Clean cached data
$class->data( {} );
return 0;
}
return $session->data;
}
else {
$class->logger->info("Session $offlineId can't be retrieved");
$class->logger->info( $session->error );
return 0;
}
}
sub fetchId {
my ( $class, $req ) = @_;
@ -21,10 +75,16 @@ sub fetchId {
# Get access token session
my $infos = $class->getOIDCInfos($access_token);
# If this token is tied to a regular session ID
if ( my $_session_id = $infos->{user_session_id} ) {
$class->logger->debug( 'Get user session id ' . $_session_id );
return $_session_id;
}
# If this token is tied to an Offline session
if ( my $_session_id = $infos->{offline_session_id} ) {
$class->logger->debug( 'Get offline session id ' . $_session_id );
return "O-$_session_id";
}
return $class->Lemonldap::NG::Handler::Main::fetchId($req);
}
@ -50,7 +110,8 @@ sub getOIDCInfos {
unless ( $oidcSession->error ) {
$class->logger->debug("Get OIDC session $id");
$infos->{user_session_id} = $oidcSession->data->{user_session_id};
$infos->{user_session_id} = $oidcSession->data->{user_session_id};
$infos->{offline_session_id} = $oidcSession->data->{offline_session_id};
}
else {
$class->logger->info("OIDC Session $id can't be retrieved");

39
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -1211,6 +1211,9 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => 5,
'type' => 'int'
},
'forceGlobalStorageIssuerOTT' => {
'type' => 'bool'
},
'forceGlobalStorageUpgradeOTT' => {
'type' => 'bool'
},
@ -1979,8 +1982,14 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'type' => 'subContainer'
},
'oidcRPMetaDataOptionsAccessTokenExpiration' => {
'default' => 3600,
'type' => 'int'
'type' => 'int'
},
'oidcRPMetaDataOptionsAllowOffline' => {
'default' => 0,
'type' => 'bool'
},
'oidcRPMetaDataOptionsAuthorizationCodeExpiration' => {
'type' => 'int'
},
'oidcRPMetaDataOptionsBypassConsent' => {
'default' => 0,
@ -2003,8 +2012,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'type' => 'text'
},
'oidcRPMetaDataOptionsIDTokenExpiration' => {
'default' => 3600,
'type' => 'int'
'type' => 'int'
},
'oidcRPMetaDataOptionsIDTokenSignAlg' => {
'default' => 'HS512',
@ -2059,6 +2067,9 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'oidcRPMetaDataOptionsLogoutUrl' => {
'type' => 'url'
},
'oidcRPMetaDataOptionsOfflineSessionExpiration' => {
'type' => 'int'
},
'oidcRPMetaDataOptionsPostLogoutRedirectUris' => {
'type' => 'text'
},
@ -2069,6 +2080,10 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'oidcRPMetaDataOptionsRedirectUris' => {
'type' => 'text'
},
'oidcRPMetaDataOptionsRefreshToken' => {
'default' => 0,
'type' => 'bool'
},
'oidcRPMetaDataOptionsRequirePKCE' => {
'default' => 0,
'type' => 'bool'
@ -2086,6 +2101,10 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => 600,
'type' => 'int'
},
'oidcServiceAccessTokenExpiration' => {
'default' => 3600,
'type' => 'int'
},
'oidcServiceAllowAuthorizationCodeFlow' => {
'default' => 1,
'type' => 'bool'
@ -2102,6 +2121,14 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => 0,
'type' => 'bool'
},
'oidcServiceAuthorizationCodeExpiration' => {
'default' => 60,
'type' => 'int'
},
'oidcServiceIDTokenExpiration' => {
'default' => 3600,
'type' => 'int'
},
'oidcServiceKeyIdSig' => {
'type' => 'text'
},
@ -2159,6 +2186,10 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => 'userinfo',
'type' => 'text'
},
'oidcServiceOfflineSessionExpiration' => {
'default' => 2592000,
'type' => 'int'
},
'oidcServicePrivateKeySig' => {
'type' => 'RSAPrivateKey'
},

40
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
View File

@ -3619,6 +3619,26 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
default => 0,
documentation => 'OpenID Connect allow hybrid flow',
},
oidcServiceAuthorizationCodeExpiration => {
type => 'int',
default => 60,
documentation => 'OpenID Connect global code TTL',
},
oidcServiceAccessTokenExpiration => {
type => 'int',
default => 3600,
documentation => 'OpenID Connect global access token TTL',
},
oidcServiceIDTokenExpiration => {
type => 'int',
default => 3600,
documentation => 'OpenID Connect global ID token TTL',
},
oidcServiceOfflineSessionExpiration => {
type => 'int',
default => 2592000,
documentation => 'OpenID Connect global offline session TTL',
},
oidcStorage => {
type => 'PerlModule',
documentation => 'Apache::Session module to store OIDC user data',
@ -3719,11 +3739,11 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
],
default => 'HS512',
},
oidcRPMetaDataOptionsIDTokenExpiration =>
{ type => 'int', default => 3600 },
oidcRPMetaDataOptionsAccessTokenExpiration =>
{ type => 'int', default => 3600 },
oidcRPMetaDataOptionsRedirectUris => { type => 'text', },
oidcRPMetaDataOptionsIDTokenExpiration => { type => 'int' },
oidcRPMetaDataOptionsAccessTokenExpiration => { type => 'int' },
oidcRPMetaDataOptionsAuthorizationCodeExpiration => { type => 'int' },
oidcRPMetaDataOptionsOfflineSessionExpiration => { type => 'int' },
oidcRPMetaDataOptionsRedirectUris => { type => 'text', },
oidcRPMetaDataOptionsExtraClaims =>
{ type => 'keyTextContainer', default => {} },
oidcRPMetaDataOptionsBypassConsent => {
@ -3760,6 +3780,16 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
default => 0,
documentation => 'Require PKCE',
},
oidcRPMetaDataOptionsAllowOffline => {
type => 'bool',
default => 0,
documentation => 'Allow offline access',
},
oidcRPMetaDataOptionsRefreshToken => {
type => 'bool',
default => 0,
documentation => 'Issue refresh tokens',
},
oidcRPMetaDataOptionsRule => {
type => 'text',
test => sub { return perlExpr(@_) },

4
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
View File

@ -204,6 +204,10 @@ sub cTrees {
'oidcRPMetaDataOptionsIDTokenSignAlg',
'oidcRPMetaDataOptionsIDTokenExpiration',
'oidcRPMetaDataOptionsAccessTokenExpiration',
'oidcRPMetaDataOptionsAuthorizationCodeExpiration',
'oidcRPMetaDataOptionsAllowOffline',
'oidcRPMetaDataOptionsRefreshToken',
'oidcRPMetaDataOptionsOfflineSessionExpiration',
'oidcRPMetaDataOptionsRedirectUris',
'oidcRPMetaDataOptionsBypassConsent',
{

4
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
View File

@ -1166,6 +1166,10 @@ sub tree {
'oidcServiceAllowAuthorizationCodeFlow',
'oidcServiceAllowImplicitFlow',
'oidcServiceAllowHybridFlow',
'oidcServiceAuthorizationCodeExpiration',
'oidcServiceAccessTokenExpiration',
'oidcServiceIDTokenExpiration',
'oidcServiceOfflineSessionExpiration',
],
},
{

1
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Sessions.pm
View File

@ -99,6 +99,7 @@ sub sessions {
my $params = $req->parameters();
my $type = delete $params->{sessionType};
$type = $type eq 'global' ? 'SSO' : ucfirst($type);
$type = $type eq 'Offline' ? 'OIDCI' : ucfirst($type);
my $res;

2
lemonldap-ng-manager/site/coffee/sessions.coffee
View File

@ -420,7 +420,7 @@ llapp.controller 'SessionsExplorerCtrl', ['$scope', '$translator', '$location',
sessionType = 'global'
if n == null
$scope.type = '_whatToTrace'
else if n[1].match /^(persistent)$/
else if n[1].match /^(persistent|offline)$/
sessionType = RegExp.$1
$scope.type = '_session_uid'
else

28
lemonldap-ng-manager/site/htdocs/static/js/conftree.js
View File

@ -473,19 +473,43 @@ function templates(tpl,key) {
"type" : "select"
},
{
"default" : 3600,
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenExpiration",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenExpiration",
"title" : "oidcRPMetaDataOptionsIDTokenExpiration",
"type" : "int"
},
{
"default" : 3600,
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAccessTokenExpiration",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAccessTokenExpiration",
"title" : "oidcRPMetaDataOptionsAccessTokenExpiration",
"type" : "int"
},
{
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAuthorizationCodeExpiration",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAuthorizationCodeExpiration",
"title" : "oidcRPMetaDataOptionsAuthorizationCodeExpiration",
"type" : "int"
},
{
"default" : 0,
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAllowOffline",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAllowOffline",
"title" : "oidcRPMetaDataOptionsAllowOffline",
"type" : "bool"
},
{
"default" : 0,
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRefreshToken",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRefreshToken",
"title" : "oidcRPMetaDataOptionsRefreshToken",
"type" : "bool"
},
{
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsOfflineSessionExpiration",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsOfflineSessionExpiration",
"title" : "oidcRPMetaDataOptionsOfflineSessionExpiration",
"type" : "int"
},
{
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRedirectUris",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRedirectUris",

2
lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js.map
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/sessions.js
View File

@ -511,7 +511,7 @@
sessionType = 'global';
if (n === null) {
$scope.type = '_whatToTrace';
} else if (n[1].match(/^(persistent)$/)) {
} else if (n[1].match(/^(persistent|offline)$/)) {
sessionType = RegExp.$1;
$scope.type = '_session_uid';
} else {

3
lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js.map
View File

File diff suppressed because one or more lines are too long

12
lemonldap-ng-manager/site/htdocs/static/languages/ar.json
View File

@ -517,6 +517,7 @@
"nullParams":"لا شيء في المعايير",
"number":"رقم",
"off":"إيقاف",
"offlineSessions":"Offline sessions",
"oldValue":"قيمة قديمة",
"on":"تنشيط",
"oidcAuthnLevel":"مستوى إثبات الهوية",
@ -528,6 +529,7 @@
"oidcOPMetaDataNode":" أوبين أيدي كونيكت بروفيدر",
"oidcOPMetaDataOptions":"الخيارات",
"oidcRPMetaDataOptionsAuthentication":"إثبات الهوية",
"oidcRPMetaDataOptionsAllowOffline":"Allow offline access",
"oidcOPMetaDataOptionsCheckJWTSignature":"توقيع",
"oidcOPMetaDataOptionsClientID":"معرف العميل",
"oidcOPMetaDataOptionsClientSecret":"سرالعميل",
@ -557,6 +559,7 @@
"oidcRPMetaDataNode":"الأطراف المعتمد لي أوبين أيدي كونيكت",
"oidcRPMetaDataOptions":"الخيارات",
"oidcRPMetaDataOptionsAccessTokenExpiration":"انتهاء صلاحية التوكن",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcRPMetaDataOptionsBypassConsent":"تخطى الموافقة ",
"oidcRPMetaDataOptionsClientID":"معرف العميل",
"oidcRPMetaDataOptionsClientSecret":"سرالعميل",
@ -565,6 +568,8 @@
"oidcRPMetaDataOptionsIcon":"شعار",
"oidcRPMetaDataOptionsIDTokenExpiration":" انتهاء صلاحية تعريف التوكن",
"oidcRPMetaDataOptionsIDTokenSignAlg":"خوارزمية توقيع آي دي التوكن",
"oidcRPMetaDataOptionsOfflineSessionExpiration":"Offline session expiration",
"oidcRPMetaDataOptionsRefreshToken":"Use refresh tokens",
"oidcRPMetaDataOptionsUserIDAttr":"خاصّيّة المستخدم",
"oidcRPName":"اسم أوبين أيدي كونيكت RP",
"oidcRPStateTimeout":"حالة مهلة الجلسة",
@ -584,6 +589,10 @@
"oidcServicePrivateKeySig":"توقيع على المفتاح الخاص",
"oidcServicePublicKeySig":"توقيع على المفتاح العمومي",
"oidcServiceKeyIdSig":"توقيع على هوية المفتاح ",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"ﺎﻨﺘﻫﺍﺀ ﺹﻼﺤﻳﺓ ﺎﻠﺗﻮﻜﻧ",
"oidcServiceIDTokenExpiration":" ﺎﻨﺘﻫﺍﺀ ﺹﻼﺤﻳﺓ ﺖﻋﺮﻴﻓ ﺎﻠﺗﻮﻜﻧ",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"اسم وحدة الجلسات",
"oidcStorageOptions":"خيارات وحدة الجلسات",
"oidcOPMetaDataNodes":" أوبين أيدي كونيكت بروفيدر",
@ -605,6 +614,7 @@
"oidcServiceAllowAuthorizationCodeFlow":"ترخيص كود التدفق",
"oidcServiceAllowImplicitFlow":"التدفق الضمني",
"oidcServiceAllowHybridFlow":"تدفق هجين",
"oidcServiceAllowOffline":"Allow offline access",
"ok":"حسنا",
"oldNotifFormat":"استخدام صيغة xml القديمة",
"openIdAttr":"تسجيل الدخول في أوبين أيدي",
@ -1066,4 +1076,4 @@
"samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

14
lemonldap-ng-manager/site/htdocs/static/languages/de.json
View File

@ -517,6 +517,7 @@
"nullParams":"Null parameters",
"number":"Number",
"off":"Off",
"offlineSessions":"Offline sessions",
"oldValue":"Old value",
"on":"On",
"oidcAuthnLevel":"Authentication level",
@ -528,6 +529,7 @@
"oidcOPMetaDataNode":"OpenID Connect Providers",
"oidcOPMetaDataOptions":"Optionen",
"oidcRPMetaDataOptionsAuthentication":"Authentication",
"oidcRPMetaDataOptionsAllowOffline":"Allow offline access",
"oidcOPMetaDataOptionsCheckJWTSignature":"Check JWT signature",
"oidcOPMetaDataOptionsClientID":"Client ID",
"oidcOPMetaDataOptionsClientSecret":"Client secret",
@ -556,7 +558,8 @@
"oidcRPMetaDataExportedVars":"Exported attributes",
"oidcRPMetaDataNode":"OpenID Connect Relying Parties",
"oidcRPMetaDataOptions":"Options",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Access token expiration",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Access Token expiration",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcRPMetaDataOptionsBypassConsent":"Bypass consent",
"oidcRPMetaDataOptionsClientID":"Client ID",
"oidcRPMetaDataOptionsClientSecret":"Client secret",
@ -565,6 +568,8 @@
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsIDTokenExpiration":"ID Token expiration",
"oidcRPMetaDataOptionsIDTokenSignAlg":"ID Token signature algorithm",
"oidcRPMetaDataOptionsOfflineSessionExpiration":"Offline session expiration",
"oidcRPMetaDataOptionsRefreshToken":"Use refresh tokens",
"oidcRPMetaDataOptionsUserIDAttr":"User attribute",
"oidcRPName":"OpenID Connect RP Name",
"oidcRPStateTimeout":"State session timeout",
@ -584,6 +589,10 @@
"oidcServicePrivateKeySig":"Signing private key",
"oidcServicePublicKeySig":"Signing public key",
"oidcServiceKeyIdSig":"Signing key ID",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"Access Token expiration",
"oidcServiceIDTokenExpiration":"ID Token expiration",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"Sessions module name",
"oidcStorageOptions":"Sessions module options",
"oidcOPMetaDataNodes":"OpenID Connect Providers",
@ -605,6 +614,7 @@
"oidcServiceAllowAuthorizationCodeFlow":"Authorization Code Flow",
"oidcServiceAllowImplicitFlow":"Implicit Flow",
"oidcServiceAllowHybridFlow":"Hybrid Flow",
"oidcServiceAllowOffline":"Allow offline access",
"ok":"OK",
"oldNotifFormat":"Use old XML format",
"openIdAttr":"OpenID login",
@ -1066,4 +1076,4 @@
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

12
lemonldap-ng-manager/site/htdocs/static/languages/en.json
View File

@ -517,6 +517,7 @@
"nullParams":"Null parameters",
"number":"Number",
"off":"Off",
"offlineSessions":"Offline sessions",
"oldValue":"Old value",
"on":"On",
"oidcAuthnLevel":"Authentication level",
@ -528,6 +529,7 @@
"oidcOPMetaDataNode":"OpenID Connect Providers",
"oidcOPMetaDataOptions":"Options",
"oidcRPMetaDataOptionsAuthentication":"Authentication",
"oidcRPMetaDataOptionsAllowOffline":"Allow offline access",
"oidcOPMetaDataOptionsCheckJWTSignature":"Check JWT signature",
"oidcOPMetaDataOptionsClientID":"Client ID",
"oidcOPMetaDataOptionsClientSecret":"Client secret",
@ -556,7 +558,8 @@
"oidcRPMetaDataExportedVars":"Exported attributes",
"oidcRPMetaDataNode":"OpenID Connect Relying Parties",
"oidcRPMetaDataOptions":"Options",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Access token expiration",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Access Token expiration",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcRPMetaDataOptionsBypassConsent":"Bypass consent",
"oidcRPMetaDataOptionsClientID":"Client ID",
"oidcRPMetaDataOptionsClientSecret":"Client secret",
@ -565,6 +568,8 @@
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsIDTokenExpiration":"ID Token expiration",
"oidcRPMetaDataOptionsIDTokenSignAlg":"ID Token signature algorithm",
"oidcRPMetaDataOptionsOfflineSessionExpiration":"Offline session expiration",
"oidcRPMetaDataOptionsRefreshToken":"Use refresh tokens",
"oidcRPMetaDataOptionsUserIDAttr":"User attribute",
"oidcRPName":"OpenID Connect RP Name",
"oidcRPStateTimeout":"State session timeout",
@ -584,6 +589,10 @@
"oidcServicePrivateKeySig":"Signing private key",
"oidcServicePublicKeySig":"Signing public key",
"oidcServiceKeyIdSig":"Signing key ID",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"Access Token expiration",
"oidcServiceIDTokenExpiration":"ID Token expiration",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"Sessions module name",
"oidcStorageOptions":"Sessions module options",
"oidcOPMetaDataNodes":"OpenID Connect Providers",
@ -605,6 +614,7 @@
"oidcServiceAllowAuthorizationCodeFlow":"Authorization Code Flow",
"oidcServiceAllowImplicitFlow":"Implicit Flow",
"oidcServiceAllowHybridFlow":"Hybrid Flow",
"oidcServiceAllowOffline":"Allow offline access",
"ok":"OK",
"oldNotifFormat":"Use old XML format",
"openIdAttr":"OpenID login",

10
lemonldap-ng-manager/site/htdocs/static/languages/fr.json
View File

@ -517,6 +517,7 @@
"nullParams":"Paramètres Null",
"number":"Numéro",
"off":"Désactivé",
"offlineSessions":"Sessions hors ligne",
"oldValue":"Ancienne valeur",
"on":"Activé",
"oidcAuthnLevel":"Niveau d'authentification",
@ -528,6 +529,7 @@
"oidcOPMetaDataNode":"Fournisseurs OpenID Connect",
"oidcOPMetaDataOptions":"Options",
"oidcRPMetaDataOptionsAuthentication":"Authentification",
"oidcRPMetaDataOptionsAllowOffline":"Autoriser l'accès hors ligne",
"oidcOPMetaDataOptionsCheckJWTSignature":"Vérifier la signature des jetons",
"oidcOPMetaDataOptionsClientID":"Identifiant",
"oidcOPMetaDataOptionsClientSecret":"Mot de passe",
@ -557,6 +559,7 @@
"oidcRPMetaDataNode":"Clients OpenID Connect",
"oidcRPMetaDataOptions":"Options",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Expiration des jetons d'accès",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Expiration des codes d'autorisation",
"oidcRPMetaDataOptionsBypassConsent":"Contourner le consentement",
"oidcRPMetaDataOptionsClientID":"Identifiant",
"oidcRPMetaDataOptionsClientSecret":"Mot de passe",
@ -565,6 +568,8 @@
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsIDTokenExpiration":"Expiration des jetons d'identité",
"oidcRPMetaDataOptionsIDTokenSignAlg":"Algorithme de signature des jetons d'identité",
"oidcRPMetaDataOptionsOfflineSessionExpiration":"Expiration des sessions hors-ligne",
"oidcRPMetaDataOptionsRefreshToken":"Utiliser les refresh tokens",
"oidcRPMetaDataOptionsUserIDAttr":"Attribut de l'utilisateur",
"oidcRPName":"Nom du client OpenID Connect",
"oidcRPStateTimeout":"Durée d'une session state",
@ -584,6 +589,10 @@
"oidcServicePrivateKeySig":"Clef privée de signature",
"oidcServicePublicKeySig":"Clef publique de signature",
"oidcServiceKeyIdSig":"Identifiant de clef de signature",
"oidcServiceAuthorizationCodeExpiration":"Expiration des codes d'autorisation",
"oidcServiceAccessTokenExpiration":"Expiration des jetons d'accès",
"oidcServiceIDTokenExpiration":"Expiration des jetons d'identité",
"oidcServiceOfflineSessionExpiration":"Expiration des sessions hors-ligne",
"oidcStorage":"Nom du module des sessions",
"oidcStorageOptions":"Options du module des sessions",
"oidcOPMetaDataNodes":"Fournisseurs OpenID Connect",
@ -605,6 +614,7 @@
"oidcServiceAllowAuthorizationCodeFlow":"Authorization Code Flow",
"oidcServiceAllowImplicitFlow":"Implicit Flow",
"oidcServiceAllowHybridFlow":"Hybrid Flow",
"oidcServiceAllowOffline":"Autoriser l'accès hors ligne",
"ok":"OK",
"oldNotifFormat":"Utiliser l'ancien format XML",
"openIdAttr":"Identifiant OpenID",

12
lemonldap-ng-manager/site/htdocs/static/languages/it.json
View File

@ -517,6 +517,7 @@
"nullParams":"Parametri Null",
"number":"Numero",
"off":"Off",
"offlineSessions":"Offline sessions",
"oldValue":"Vecchio valore",
"on":"On",
"oidcAuthnLevel":"Livello di autenticazione",
@ -528,6 +529,7 @@
"oidcOPMetaDataNode":"Provider di OpenID Connect",
"oidcOPMetaDataOptions":"Opzioni",
"oidcRPMetaDataOptionsAuthentication":"Autenticazione",
"oidcRPMetaDataOptionsAllowOffline":"Allow offline access",
"oidcOPMetaDataOptionsCheckJWTSignature":"Controllare la firma JWT",
"oidcOPMetaDataOptionsClientID":"ID Client",
"oidcOPMetaDataOptionsClientSecret":"Segreto Client",
@ -557,6 +559,7 @@
"oidcRPMetaDataNode":"Parti basate su OpenID Connect",
"oidcRPMetaDataOptions":"Opzioni",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Scadenza accesso token",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Scadenza Authorization Code",
"oidcRPMetaDataOptionsBypassConsent":"Consenso di bypass",
"oidcRPMetaDataOptionsClientID":"ID Client",
"oidcRPMetaDataOptionsClientSecret":"Segreto Client",
@ -565,6 +568,8 @@
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsIDTokenExpiration":"Scadenza ID Token",
"oidcRPMetaDataOptionsIDTokenSignAlg":"Algoritmo di firma di identificazione di Token",
"oidcRPMetaDataOptionsOfflineSessionExpiration":"Scadenza Refresh Token",
"oidcRPMetaDataOptionsRefreshToken":"Use refresh tokens",
"oidcRPMetaDataOptionsUserIDAttr":"Attributo utente",
"oidcRPName":"Nome di OpenID Connect RP",
"oidcRPStateTimeout":"Durata della sessione stato",
@ -584,6 +589,10 @@
"oidcServicePrivateKeySig":"Firma della chiave privata",
"oidcServicePublicKeySig":"Firma della chiave pubblica",
"oidcServiceKeyIdSig":"ID del codice di accesso",
"oidcServiceAuthorizationCodeExpiration":"Scadenza Authorization Code",
"oidcServiceAccessTokenExpiration":"Scadenza accesso token",
"oidcServiceIDTokenExpiration":"Scadenza ID Token",
"oidcServiceOfflineSessionExpiration":"Scadenza Refresh Token",
"oidcStorage":"Nome del modulo Sessioni",
"oidcStorageOptions":"Opzioni del modulo Sessioni",
"oidcOPMetaDataNodes":"Provider di OpenID Connect",
@ -605,6 +614,7 @@
"oidcServiceAllowAuthorizationCodeFlow":"Flusso del codice di autorizzazione",
"oidcServiceAllowImplicitFlow":"Flusso implicito",
"oidcServiceAllowHybridFlow":"Flusso ibrido",
"oidcServiceAllowOffline":"Allow offline access",
"ok":"OK",
"oldNotifFormat":"Utilizza il vecchio formato XML",
"openIdAttr":"Login OpenID",
@ -1066,4 +1076,4 @@
"samlRelayStateTimeout":"Timeout di sessione di RelayState",
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
"samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
}
}

12
lemonldap-ng-manager/site/htdocs/static/languages/vi.json
View File

@ -517,6 +517,7 @@
"nullParams":"Tham số Null",
"number":"Số",
"off":"Tắt",
"offlineSessions":"Offline sessions",
"oldValue":"Giá trị cũ",
"on":"Vào",
"oidcAuthnLevel":"Mức xác thực",
@ -528,6 +529,7 @@
"oidcOPMetaDataNode":"Nhà cung cấp Kết nối OpenID",
"oidcOPMetaDataOptions":"Tùy chọn",
"oidcRPMetaDataOptionsAuthentication":"Xác thực",
"oidcRPMetaDataOptionsAllowOffline":"Allow offline access",
"oidcOPMetaDataOptionsCheckJWTSignature":"Kiểm tra chữ ký JWT",
"oidcOPMetaDataOptionsClientID":"Client ID",
"oidcOPMetaDataOptionsClientSecret":"Trình khách bí mật",
@ -557,6 +559,7 @@
"oidcRPMetaDataNode":"OpenID Connect Relying Parties",
"oidcRPMetaDataOptions":"Tùy chọn",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Hết hạn truy cập Token",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Authorization Code hết hạn",
"oidcRPMetaDataOptionsBypassConsent":"Bỏ qua sự đồng ý",
"oidcRPMetaDataOptionsClientID":"Client ID",
"oidcRPMetaDataOptionsClientSecret":"Trình khách bí mật",
@ -565,6 +568,8 @@
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsIDTokenExpiration":"ID Token hết hạn",
"oidcRPMetaDataOptionsIDTokenSignAlg":"Thuật toán chữ ký ID Token",
"oidcRPMetaDataOptionsOfflineSessionExpiration":"Refresh Token hết hạn",
"oidcRPMetaDataOptionsRefreshToken":"Use refresh tokens",
"oidcRPMetaDataOptionsUserIDAttr":"thuộc tính người dùng",
"oidcRPName":"OpenID Connect RP Name",
"oidcRPStateTimeout":"Thời gian chờ của trạng thái phiên làm việc",
@ -584,6 +589,10 @@
"oidcServicePrivateKeySig":"Ký khóa cá nhân",
"oidcServicePublicKeySig":"Ký khóa công khai",
"oidcServiceKeyIdSig":"Khóa ID chính",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code hết hạn",
"oidcServiceAccessTokenExpiration":"Hết hạn truy cập Token",
"oidcServiceIDTokenExpiration":"ID Token hết hạn",
"oidcServiceOfflineSessionExpiration":"Refresh Token hết hạn",
"oidcStorage":"Tên mô-đun phiên",
"oidcStorageOptions":"Tùy chọn mô-đun phiên",
"oidcOPMetaDataNodes":"Nhà cung cấp Kết nối OpenID",
@ -605,6 +614,7 @@
"oidcServiceAllowAuthorizationCodeFlow":"Dòng mã ủy quyền",
"oidcServiceAllowImplicitFlow":"Dòng chảy ngầm",
"oidcServiceAllowHybridFlow":"Dòng chảy hỗn hợp",
"oidcServiceAllowOffline":"Allow offline access",
"ok":"OK",
"oldNotifFormat":"Sử dụng định dạng XML cũ",
"openIdAttr":"Đăng nhập OpenID",
@ -1066,4 +1076,4 @@
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

14
lemonldap-ng-manager/site/htdocs/static/languages/zh.json
View File

@ -517,6 +517,7 @@
"nullParams":"Null parameters",
"number":"Number",
"off":"Off",
"offlineSessions":"Offline sessions",
"oldValue":"Old value",
"on":"On",
"oidcAuthnLevel":"认证等级",
@ -528,6 +529,7 @@
"oidcOPMetaDataNode":"OpenID Connect Providers",
"oidcOPMetaDataOptions":"Options",
"oidcRPMetaDataOptionsAuthentication":"Authentication",
"oidcRPMetaDataOptionsAllowOffline":"Allow offline access",
"oidcOPMetaDataOptionsCheckJWTSignature":"Check JWT signature",
"oidcOPMetaDataOptionsClientID":"Client ID",
"oidcOPMetaDataOptionsClientSecret":"Client secret",
@ -556,7 +558,8 @@
"oidcRPMetaDataExportedVars":"Exported attributes",
"oidcRPMetaDataNode":"OpenID Connect Relying Parties",
"oidcRPMetaDataOptions":"Options",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Access token expiration",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Access Token expiration",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcRPMetaDataOptionsBypassConsent":"Bypass consent",
"oidcRPMetaDataOptionsClientID":"Client ID",
"oidcRPMetaDataOptionsClientSecret":"Client secret",
@ -565,6 +568,8 @@
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsIDTokenExpiration":"ID Token expiration",
"oidcRPMetaDataOptionsIDTokenSignAlg":"ID Token signature algorithm",
"oidcRPMetaDataOptionsOfflineSessionExpiration":"Offline session expiration",
"oidcRPMetaDataOptionsRefreshToken":"Use refresh tokens",
"oidcRPMetaDataOptionsUserIDAttr":"User attribute",
"oidcRPName":"OpenID Connect RP Name",
"oidcRPStateTimeout":"State session timeout",
@ -584,6 +589,10 @@
"oidcServicePrivateKeySig":"Signing private key",
"oidcServicePublicKeySig":"Signing public key",
"oidcServiceKeyIdSig":"Signing key ID",
"oidcServiceAuthorizationCodeExpiration":"Authorization code expiration",
"oidcServiceAccessTokenExpiration":"Access Token expiration",
"oidcServiceIDTokenExpiration":"ID Token expiration",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"Sessions module name",
"oidcStorageOptions":"Sessions module options",
"oidcOPMetaDataNodes":"OpenID Connect Providers",
@ -605,6 +614,7 @@
"oidcServiceAllowAuthorizationCodeFlow":"Authorization Code Flow",
"oidcServiceAllowImplicitFlow":"Implicit Flow",
"oidcServiceAllowHybridFlow":"Hybrid Flow",
"oidcServiceAllowOffline":"Allow offline access",
"ok":"OK",
"oldNotifFormat":"Use old XML format",
"openIdAttr":"OpenID login",
@ -1066,4 +1076,4 @@
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

2
lemonldap-ng-manager/site/htdocs/static/reverseTree.json
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/struct.json
View File

File diff suppressed because one or more lines are too long

1
lemonldap-ng-manager/site/templates/sessions.tpl
View File

@ -26,6 +26,7 @@
</ul>
</li>
<li><a id="a-persistent" href="#!/persistent" role="row"><i class="glyphicon glyphicon-lock"></i> {{translate('persistentSessions')}}</a></li>
<li><a id="a-offline" href="#!/offline" role="row"><i class="glyphicon glyphicon-time"></i> {{translate('offlineSessions')}}</a></li>
</ul>
</div>
</div>

671
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
View File

@ -6,6 +6,7 @@ use Mouse;
use Lemonldap::NG::Common::FormEncode;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_BADURL
PE_BADCREDENTIALS
PE_CONFIRM
PE_ERROR
PE_LOGOUT_OK
@ -547,11 +548,12 @@ sub run {
}
my $scope_messages = {
openid => 'yourIdentity',
profile => 'yourProfile',
email => 'yourEmail',
address => 'yourAddress',
phone => 'yourPhone',
openid => 'yourIdentity',
profile => 'yourProfile',
email => 'yourEmail',
address => 'yourAddress',
phone => 'yourPhone',
offline_access => 'yourOffline',
};
my @list;
foreach my $requested_scope (
@ -609,6 +611,47 @@ sub run {
);
}
# WIP: Offline access
my $offline = 0;
if ( $oidc_request->{'scope'} =~ /\boffline_access\b/ ) {
$offline = 1;
# MUST ensure that the prompt parameter contains consent unless
# other conditions for processing the request permitting offline
# access to the requested resources are in place; unless one or
# both of these conditions are fulfilled, then it MUST ignore
# the offline_access request,
unless ( $bypassConsent
or ( $prompt and $prompt =~ /\bconsent\b/ ) )
{
$self->logger->warn( "Offline access ignored, "
. "prompt parameter must contain \"consent\"" );
$offline = 0;
}
# MUST ignore the offline_access request unless the Client is
# using a response_type value that would result in an
# Authorization Code being returned,
if ( $response_type !~ /\bcode\b/ ) {
$self->logger->warn( "Offline access incompatible "
. "with response type $response_type" );
$offline = 0;
}
# Ignore offline_access request if not authorized by the RP
unless ( $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAllowOffline} )
{
$self->logger->warn(
"Offline access not authorized for RP $rp");
$offline = 0;
}
# Strip offline_access from scopes from now on
$oidc_request->{'scope'} = join " ", grep !/^offline_access$/,
split /\s+/, $oidc_request->{'scope'};
}
# Authorization Code Flow
if ( $flow eq "authorizationcode" ) {
@ -616,14 +659,15 @@ sub run {
my $codeSession = $self->newAuthorizationCode(
$rp,
{
code_challenge => $oidc_request->{'code_challenge'},
code_challenge_method =>
$oidc_request->{'code_challenge_method'},
nonce => $oidc_request->{'nonce'},
offline => $offline,
redirect_uri => $oidc_request->{'redirect_uri'},
scope => $oidc_request->{'scope'},
client_id => $client_id,
user_session_id => $req->id,
nonce => $oidc_request->{'nonce'},
code_challenge => $oidc_request->{'code_challenge'},
code_challenge_method =>
$oidc_request->{'code_challenge_method'},
}
);
@ -687,8 +731,10 @@ sub run {
}
# ID token payload
my $id_token_exp = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenExpiration};
my $id_token_exp =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenExpiration}
|| $self->conf->{oidcServiceIDTokenExpiration};
$id_token_exp += time;
my $authenticationLevel =
@ -733,7 +779,8 @@ sub run {
# No access_token
# Claims must be set in id_token
my $claims =
$self->buildUserInfoResponse( $oidc_request->{'scope'},
$self->buildUserInfoResponseFromId(
$oidc_request->{'scope'},
$rp, $req->id );
foreach ( keys %$claims ) {
@ -749,8 +796,10 @@ sub run {
$self->logger->debug("Generated id token: $id_token");
# Send token response
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAccessTokenExpiration};
my $expires_in =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAccessTokenExpiration}
|| $self->conf->{oidcServiceAccessTokenExpiration};
# Build Response
my $response_url = $self->buildImplicitAuthnResponse(
@ -783,11 +832,12 @@ sub run {
my $codeSession = $self->newAuthorizationCode(
$rp,
{
nonce => $oidc_request->{'nonce'},
offline => $offline,
redirect_uri => $oidc_request->{'redirect_uri'},
client_id => $client_id,
scope => $oidc_request->{'scope'},
user_session_id => $req->id,
nonce => $oidc_request->{'nonce'},
}
);
@ -836,11 +886,13 @@ sub run {
# ID token payload
my $id_token_exp =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenExpiration};
->{oidcRPMetaDataOptionsIDTokenExpiration}
|| $self->conf->{oidcServiceIDTokenExpiration};
$id_token_exp += time;
my $id_token_acr =
"loa-" . $req->{sessionInfo}->{authenticationLevel};
"loa-"
. ( $req->{sessionInfo}->{authenticationLevel} || 0 );
my $user_id_attribute =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
@ -870,7 +922,7 @@ sub run {
# No access_token
# Claims must be set in id_token
my $claims = $self->buildUserInfoResponse(
my $claims = $self->buildUserInfoResponseFromId(
$oidc_request->{'scope'},
$rp, $req->id );
@ -887,8 +939,10 @@ sub run {
$self->logger->debug("Generated id token: $id_token");
}
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAccessTokenExpiration};
my $expires_in =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAccessTokenExpiration}
|| $self->conf->{oidcServiceAccessTokenExpiration};
# Build Response
my $response_url = $self->buildHybridAuthnResponse(
@ -1013,152 +1067,434 @@ sub token {
my $client_id = $self->oidcRPList->{$rp}->{oidcRPMetaDataOptionsClientID};
# Get code session
my $code = $req->param('code');
my $grant_type = $req->param('grant_type');
unless ($code) {
$self->logger->error("No code found on token endpoint");
return $self->p->sendError( $req, 'invalid_request', 400 );
}
# Autorization Code grant
if ( $grant_type eq 'authorization_code' ) {
my $code = $req->param('code');
$self->logger->debug("OpenID Connect Code: $code");
unless ($code) {
$self->logger->error("No code found on token endpoint");
return $self->p->sendError( $req, 'invalid_request', 400 );
}
my $codeSession = $self->getAuthorizationCode($code);
my $codeSession = $self->getAuthorizationCode($code);
unless ($codeSession) {
$self->logger->error("Unable to find OIDC session $code");
return $self->p->sendError( $req, 'invalid_request', 400 );
}
unless ($codeSession) {
$self->logger->error("Unable to find OIDC session $code");
return $self->p->sendError( $req, 'invalid_request', 400 );
}
# Check PKCE
if ( $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsRequirePKCE} )
{
unless (
$self->validatePKCEChallenge(
$req->param('code_verifier'),
$codeSession->data->{'code_challenge'},
$codeSession->data->{'code_challenge_method'}
)
)
$codeSession->remove();
# Check PKCE
if ( $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsRequirePKCE} )
{
unless (
$self->validatePKCEChallenge(
$req->param('code_verifier'),
$codeSession->data->{'code_challenge'},
$codeSession->data->{'code_challenge_method'}
)
)
{
return $self->p->sendError( $req, 'invalid_grant', 400 );
}
}
# Check we have the same client_id value
unless ( $client_id eq $codeSession->data->{client_id} ) {
$self->userLogger->error( "Provided client_id does not match "
. $codeSession->data->{client_id} );
return $self->p->sendError( $req, 'invalid_grant', 400 );
}
}
# Check we have the same client_id value
unless ( $client_id eq $codeSession->data->{client_id} ) {
$self->userLogger->error( "Provided client_id does not match "
. $codeSession->data->{client_id} );
return $self->p->sendError( $req, 'invalid_grant', 400 );
}
# Check we have the same redirect_uri value
unless ( $req->param("redirect_uri") eq $codeSession->data->{redirect_uri} )
{
$self->userLogger->error( "Provided redirect_uri does not match "
. $codeSession->data->{redirect_uri} );
return $self->p->sendError( $req, 'invalid_request', 400 );
}
# Get user identifier
my $apacheSession =
$self->p->getApacheSession( $codeSession->data->{user_session_id},
noInfo => 1 );
unless ($apacheSession) {
$self->userLogger->error(
"Unable to find user session linked to OIDC session $code");
$codeSession->remove();
return $self->p->sendError( $req, 'invalid_request', 400 );
}
my $user_id_attribute =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsUserIDAttr}
|| $self->conf->{whatToTrace};
my $user_id = $apacheSession->data->{$user_id_attribute};
$self->logger->debug("Found corresponding user: $user_id");
# Generate access_token
my $accessTokenSession = $self->newAccessToken(
$rp,
# Check we have the same redirect_uri value
unless (
$req->param("redirect_uri") eq $codeSession->data->{redirect_uri} )
{
scope => $codeSession->data->{scope},
rp => $rp,
user_session_id => $apacheSession->id,
$self->userLogger->error( "Provided redirect_uri does not match "
. $codeSession->data->{redirect_uri} );
return $self->p->sendError( $req, 'invalid_grant', 400 );
}
);
unless ($accessTokenSession) {
# Get user identifier
my $apacheSession =
$self->p->getApacheSession( $codeSession->data->{user_session_id},
noInfo => 1 );
unless ($apacheSession) {
$self->userLogger->error("Unable to find user session");
return $self->p->sendError( $req, 'invalid_grant', 400 );
}
my $user_id_attribute =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsUserIDAttr}
|| $self->conf->{whatToTrace};
my $user_id = $apacheSession->data->{$user_id_attribute};
$self->logger->debug("Found corresponding user: $user_id");
# Generate access_token
my $accessTokenSession = $self->newAccessToken(
$rp,
{
scope => $codeSession->data->{scope},
rp => $rp,
user_session_id => $apacheSession->id,
}
);
unless ($accessTokenSession) {
$self->userLogger->error(
"Unable to create OIDC session for access_token");
#FIXME: should be an error 500
return $self->p->sendError( $req, 'invalid_request', 400 );
}
my $access_token = $accessTokenSession->id;
$self->logger->debug("Generated access token: $access_token");
# Generate refresh_token
my $refresh_token = undef;
# For offline access, the refresh token isn't tied to the session ID
if ( $codeSession->{data}->{offline} ) {
# We need to remove _sessionType and _sessionid from the session data
# before storing session data in the refresh token
my %userInfo;
for
my $userKey ( grep !/^_session/, keys %{ $apacheSession->data } )
{
$userInfo{$userKey} = $apacheSession->data->{$userKey};
}
my $refreshTokenSession = $self->newRefreshToken(
$rp,
{
%userInfo,
redirect_uri => $codeSession->data->{redirect_uri},
scope => $codeSession->data->{scope},
client_id => $client_id,
_session_uid => $apacheSession->data->{_user},
auth_time => $apacheSession->data->{_lastAuthnUTime},
},
1,
);
unless ($refreshTokenSession) {
$self->userLogger->error(
"Unable to create OIDC session for refresh_token");
return $self->p->sendError( $req, 'invalid_request', 400 );
}
$refresh_token = $refreshTokenSession->id;
$self->logger->debug("Generated refresh token: $refresh_token");
}
# For online access, if configured
elsif ( $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsRefreshToken} )
{
my $refreshTokenSession = $self->newRefreshToken(
$rp,
{
redirect_uri => $codeSession->data->{redirect_uri},
scope => $codeSession->data->{scope},
client_id => $client_id,
user_session_id => $codeSession->data->{user_session_id},
},
0,
);
unless ($refreshTokenSession) {
$self->userLogger->error(
"Unable to create OIDC session for refresh_token");
return $self->p->sendError( $req, 'invalid_request', 400 );
}
$refresh_token = $refreshTokenSession->id;
$self->logger->debug("Generated refresh token: $refresh_token");
}
# Compute hash to store in at_hash
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenSignAlg};
my ($hash_level) = ( $alg =~ /(?:\w{2})(\d{3})/ );
my $at_hash = $self->createHash( $access_token, $hash_level )
if $hash_level;
# ID token payload
my $id_token_exp =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenExpiration}
|| $self->conf->{oidcServiceIDTokenExpiration};
$id_token_exp += time;
my $id_token_acr = "loa-" . $apacheSession->data->{authenticationLevel};
my $id_token_payload_hash = {
iss => $self->conf->{oidcServiceMetaDataIssuer}, # Issuer Identifier
sub => $user_id, # Subject Identifier
aud => [$client_id], # Audience
exp => $id_token_exp, # expiration
iat => time, # Issued time
auth_time => $apacheSession->data->{_lastAuthnUTime}
, # Authentication time
acr => $id_token_acr, # Authentication Context Class Reference
azp => $client_id, # Authorized party
# TODO amr
};
my $nonce = $codeSession->data->{nonce};
$id_token_payload_hash->{nonce} = $nonce if defined $nonce;
$id_token_payload_hash->{'at_hash'} = $at_hash if $at_hash;
# Create ID Token
my $id_token = $self->createIDToken( $id_token_payload_hash, $rp );
$self->logger->debug("Generated id token: $id_token");
# Send token response
my $expires_in =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAccessTokenExpiration}
|| $self->conf->{oidcServiceAccessTokenExpiration};
my $token_response = {
access_token => $access_token,
token_type => 'Bearer',
expires_in => $expires_in,
id_token => $id_token,
( $refresh_token ? ( refresh_token => $refresh_token ) : () ),
};
my $cRP = $apacheSession->data->{_oidcConnectedRP} || '';
unless ( $cRP =~ /\b$rp\b/ ) {
$self->p->updateSession( $req, { _oidcConnectedRP => "$rp,$cRP" },
$apacheSession->id );
}
$self->logger->debug("Send token response");
return $self->p->sendJSONresponse( $req, $token_response );
}
# Refresh token
elsif ( $grant_type eq 'refresh_token' ) {
my $refresh_token = $req->param('refresh_token');
unless ($refresh_token) {
$self->logger->error("Missing refresh_token parameter");
return $self->p->sendError( $req, 'invalid_request', 400 );
}
$self->logger->debug("OpenID Refresh Token: $refresh_token");
my $refreshSession = $self->getRefreshToken($refresh_token);
unless ($refreshSession) {
$self->logger->error("Unable to find OIDC session $refresh_token");
return $self->p->sendError( $req, 'invalid_request', 400 );
}
# Check we have the same client_id value
unless ( $client_id eq $refreshSession->data->{client_id} ) {
$self->userLogger->error( "Provided client_id does not match "
. $refreshSession->data->{client_id} );
return $self->p->sendError( $req, 'invalid_grant', 400 );
}
my $access_token;
my $user_id;
my $auth_time;
# If this refresh token is tied to a SSO session
if ( $refreshSession->data->{user_session_id} ) {
my $user_session_id = $refreshSession->data->{user_session_id};
my $session = $self->p->getApacheSession($user_session_id);
unless ($session) {
$self->logger->error("Unable to find user session");
return $self->returnBearerError( 'invalid_request',
'Invalid request', 401 );
}
my $user_id_attribute =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsUserIDAttr}
|| $self->conf->{whatToTrace};
$user_id = $session->data->{$user_id_attribute};
$auth_time = $session->data->{_lastAuthnUTime};
# Generate access_token
my $accessTokenSession = $self->newAccessToken(
$rp,
{
scope => $refreshSession->data->{scope},
rp => $rp,
user_session_id => $user_session_id,
}
);
unless ($accessTokenSession) {
$self->userLogger->error(
"Unable to create OIDC session for access_token");
return $self->p->sendError( $req,
'Unable to create Access Token', 500 );
}
$access_token = $accessTokenSession->id;
$self->logger->debug("Generated access token: $access_token");
}
# Else, we are in an offline session
else {
# Lookup attributes and macros for user
$req->user( $refreshSession->data->{_session_uid} );
$req->steps( [
'getUser', @{ $self->p->betweenAuthAndData },
'setSessionInfo', 'setMacros',
'setGroups', 'setLocalGroups',
]
);
$req->{error} = $self->p->process($req);
if ( $req->error > 0 ) {
# PE_BADCREDENTIAL is returned by UserDB modules when the user was
# explicitely not found. And not in case of temporary failures
if ( $req->error == PE_BADCREDENTIALS ) {
$self->logger->error( "User: "
. $req->user
. " no longer exists, removing offline session" );
$refreshSession->remove;
}
else {
$self->logger->error(
"Could not resolve user: " . $req->user );
}
return $self->p->sendError( $req, 'invalid_grant', 400 );
}
# Update refresh session
$self->updateRefreshToken( $refreshSession->id, $req->sessionInfo );
my $user_id_attribute =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsUserIDAttr}
|| $self->conf->{whatToTrace};
$user_id = $req->sessionInfo->{$user_id_attribute};
$self->logger->debug("Found corresponding user: $user_id");
$auth_time = $refreshSession->data->{auth_time};
# Generate access_token
my $accessTokenSession = $self->newAccessToken(
$rp,
{
scope => $refreshSession->data->{scope},
rp => $rp,
offline_session_id => $refreshSession->id,
}
);
unless ($accessTokenSession) {
$self->userLogger->error(
"Unable to create OIDC session for access_token");
return $self->p->sendError( $req,
'Unable to create Access Token', 500 );
}
$access_token = $accessTokenSession->id;
$self->logger->debug("Generated access token: $access_token");
}
# Compute hash to store in at_hash
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenSignAlg};
my ($hash_level) = ( $alg =~ /(?:\w{2})(\d{3})/ );
my $at_hash = $self->createHash( $access_token, $hash_level )
if $hash_level;
# ID token payload
my $id_token_exp =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenExpiration}
|| $self->conf->{oidcServiceIDTokenExpiration};
$id_token_exp += time;
# Authentication level using refresh tokens should probably stay at 0
my $id_token_acr = "loa-0";
my $id_token_payload_hash = {
iss => $self->conf->{oidcServiceMetaDataIssuer}, # Issuer Identifier
sub => $user_id, # Subject Identifier
aud => [$client_id], # Audience
exp => $id_token_exp, # expiration
iat => time, # Issued time
# TODO: is this the right value when using refresh tokens??
auth_time => $auth_time, # Authentication time
acr => $id_token_acr, # Authentication Context Class Reference
azp => $client_id, # Authorized party
# TODO amr
};
my $nonce = $refreshSession->data->{nonce};
$id_token_payload_hash->{nonce} = $nonce if defined $nonce;
$id_token_payload_hash->{'at_hash'} = $at_hash if $at_hash;
# Create ID Token
my $id_token = $self->createIDToken( $id_token_payload_hash, $rp );
$self->logger->debug("Generated id token: $id_token");
# Send token response
my $expires_in =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAccessTokenExpiration}
|| $self->conf->{oidcServiceAccessTokenExpiration};
my $token_response = {
access_token => $access_token,
token_type => 'Bearer',
expires_in => $expires_in,
id_token => $id_token,
};
# TODO
#my $cRP = $apacheSession->data->{_oidcConnectedRP} || '';
#unless ( $cRP =~ /\b$rp\b/ ) {
# $self->p->updateSession( $req, { _oidcConnectedRP => "$rp,$cRP" },
# $apacheSession->id );
#}
$self->logger->debug("Send token response");
return $self->p->sendJSONresponse( $req, $token_response );
}
# Unknown or unspecified grant type
else {
$self->userLogger->error(
"Unable to create OIDC session for access_token");
$codeSession->remove();
return $self->p->sendError( $req, 'invalid_request', 400 );
$grant_type
? "Missing grant_type parameter"
: "Unknown grant type: $grant_type"
);
return $self->p->sendError( $req, 'unsupported_grant_type', 400 );
}
my $access_token = $accessTokenSession->id;
$self->logger->debug("Generated access token: $access_token");
# Compute hash to store in at_hash
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenSignAlg};
my ($hash_level) = ( $alg =~ /(?:\w{2})(\d{3})/ );
my $at_hash = $self->createHash( $access_token, $hash_level )
if $hash_level;
# ID token payload
my $id_token_exp = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsIDTokenExpiration};
$id_token_exp += time;
my $id_token_acr = "loa-" . $apacheSession->data->{authenticationLevel};
my $id_token_payload_hash = {
iss => $self->iss,
sub => $user_id, # Subject Identifier
aud => [$client_id], # Audience
exp => $id_token_exp, # expiration
iat => time, # Issued time
auth_time => $apacheSession->data->{_lastAuthnUTime}
, # Authentication time
acr => $id_token_acr, # Authentication Context Class Reference
azp => $client_id, # Authorized party
# TODO amr
};
my $nonce = $codeSession->data->{nonce};
$id_token_payload_hash->{nonce} = $nonce if defined $nonce;
$id_token_payload_hash->{'at_hash'} = $at_hash if $at_hash;
# Create ID Token
my $id_token = $self->createIDToken( $id_token_payload_hash, $rp );
$self->logger->debug("Generated id token: $id_token");
# Send token response
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAccessTokenExpiration};
my $token_response = {
access_token => $access_token,
token_type => 'Bearer',
expires_in => $expires_in,
id_token => $id_token,
};
my $cRP = $apacheSession->data->{_oidcConnectedRP} || '';
unless ( $cRP =~ /\b$rp\b/ ) {
$self->p->updateSession( $req, { _oidcConnectedRP => "$rp,$cRP" },
$apacheSession->id );
}
$self->logger->debug("Send token response");
$codeSession->remove();
return $self->p->sendJSONresponse( $req, $token_response );
}
# Handle userinfo endpoint
@ -1190,8 +1526,39 @@ sub userInfo {
my $rp = $accessTokenSession->data->{rp};
my $user_session_id = $accessTokenSession->data->{user_session_id};
my $session;
# If using a refreshed access token
if ($user_session_id) {
# Get user identifier
$session = $self->p->getApacheSession($user_session_id);
unless ($session) {
$self->logger->error("Unable to find user session");
return $self->returnBearerError( 'invalid_request',
'Invalid request', 401 );
}
}
else {
my $offline_session_id =
$accessTokenSession->data->{offline_session_id};
unless ($offline_session_id) {
return $self->returnBearerError( 'invalid_request',
'Invalid request', 401 );
}
$session = $self->getRefreshToken($offline_session_id);
unless ($session) {
$self->logger->error("Unable to find refresh session");
return $self->returnBearerError( 'invalid_request',
'Invalid request', 401 );
}
}
my $userinfo_response =
$self->buildUserInfoResponse( $scope, $rp, $user_session_id );
$self->buildUserInfoResponse( $scope, $rp, $session );
unless ($userinfo_response) {
return $self->returnBearerError( 'invalid_request', 'Invalid request',
401 );

125
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
View File

@ -637,8 +637,15 @@ sub decodeJSON {
sub newAuthorizationCode {
my ( $self, $rp, $info ) = @_;
return $self->getOpenIDConnectSession( undef, "authorization_code", undef,
$info );
return $self->getOpenIDConnectSession(
undef,
"authorization_code",
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAuthorizationCodeExpiration}
|| $self->conf->{oidcServiceAuthorizationCodeExpiration},
,
$info
);
}
# Get existing Authorization Code
@ -662,7 +669,8 @@ sub newAccessToken {
undef,
"access_token",
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAccessTokenExpiration},
->{oidcRPMetaDataOptionsAccessTokenExpiration}
|| $self->conf->{oidcServiceAccessTokenExpiration},
$info
);
}
@ -677,6 +685,68 @@ sub getAccessToken {
return $self->getOpenIDConnectSession( $id, "access_token" );
}
# Create a new Refresh Token
# @param info hashref of session info
# @return new Lemonldap::NG::Common::Session object
sub newRefreshToken {
my ( $self, $rp, $info, $offline ) = @_;
my $ttl = $offline ? (
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsOfflineSessionExpiration}
|| $self->conf->{oidcServiceOfflineSessionExpiration}) : $self->conf->{timeout};
return $self->getOpenIDConnectSession(
undef,
"refresh_token",
$ttl,
$info
);
}
# Get existing Refresh Token
# @param id
# @return new Lemonldap::NG::Common::Session object
sub getRefreshToken {
my ( $self, $id ) = @_;
return $self->getOpenIDConnectSession( $id, "refresh_token" );
}
sub updateRefreshToken {
my ( $self, $id, $infos ) = @_;
my %storage = (
storageModule => $self->conf->{oidcStorage},
storageModuleOptions => $self->conf->{oidcStorageOptions},
);
unless ( $storage{storageModule} ) {
%storage = (
storageModule => $self->conf->{globalStorage},
storageModuleOptions => $self->conf->{globalStorageOptions},
);
}
my $oidcSession = Lemonldap::NG::Common::Session->new( {
%storage,
cacheModule => $self->conf->{localSessionStorage},
cacheModuleOptions => $self->conf->{localSessionStorageOptions},
id => $id,
info => $infos,
}
);
if ( $oidcSession->error ) {
$self->userLogger->warn(
"OpenIDConnect session $id isn't yet available");
return undef;
}
return $oidcSession;
}
# Try to recover the OpenID Connect session corresponding to id and return session
# If id is set to undef, return a new session
# @return Lemonldap::NG::Common::Session object
@ -739,6 +809,15 @@ sub getOpenIDConnectSession {
. $type );
return undef;
}
# Make sure the token is still valid, we already compensated for
# different TTLs when storing _utime
if (
time > ( $oidcSession->{data}->{_utime} + $self->conf->{timeout} ) )
{
$self->logger->error("Session $id has expired");
return undef;
}
}
# Make sure the token is still valid, we already compensated for
@ -1221,22 +1300,28 @@ sub getAttributesListFromClaim {
# @param rp Internal Relying Party identifier
# @param user_session_id User session identifier
# @return hashref UserInfo data
sub buildUserInfoResponse {
sub buildUserInfoResponseFromId {
my ( $self, $scope, $rp, $user_session_id ) = @_;
my $session = $self->p->getApacheSession($user_session_id);
return undef unless ($session);
return buildUserInfoResponse( $self, $scope, $rp, $session );
}
# Return Hash of UserInfo data
# @param scope OIDC scope
# @param rp Internal Relying Party identifier
# @param session SSO or offline session
# @return hashref UserInfo data
sub buildUserInfoResponse {
my ( $self, $scope, $rp, $session ) = @_;
my $userinfo_response = {};
# Get user identifier
my $apacheSession = $self->p->getApacheSession($user_session_id);
unless ($apacheSession) {
$self->logger->error("Unable to find user session");
return undef;
}
my $user_id_attribute =
$self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsUserIDAttr}
|| $self->conf->{whatToTrace};
my $user_id = $apacheSession->data->{$user_id_attribute};
my $user_id = $session->data->{$user_id_attribute};
$self->logger->debug("Found corresponding user: $user_id");
@ -1252,7 +1337,7 @@ sub buildUserInfoResponse {
my $session_key =
$self->conf->{oidcRPMetaDataExportedVars}->{$rp}->{$attribute};
if ($session_key) {
my $session_value = $apacheSession->data->{$session_key};
my $session_value = $session->data->{$session_key};
# Address is a JSON object
if ( $claim eq "address" ) {
@ -1665,6 +1750,10 @@ Generate new Authorization Code session
Generate new Access Token session
=head2 newRefreshToken
Generate new Refresh Token session
=head2 getAuthorizationCode
Get existing Authorization Code session
@ -1673,6 +1762,10 @@ Get existing Authorization Code session
Get existing Access Token session
=head2 getRefreshToken
Get existing Refresh Token session
=head2 getOpenIDConnectSession
Try to recover the OpenID Connect session corresponding to id and return session
@ -1717,9 +1810,13 @@ Get Access Token
Return list of attributes authorized for a claim
=head2 buildUserInfoResponseFromId
Return Hash of UserInfo data from session ID
=head2 buildUserInfoResponse
Return Hash of UserInfo data
Return Hash of UserInfo data from session object
=head2 createJWT

3
lemonldap-ng-portal/site/htdocs/static/languages/ar.json
View File

@ -273,8 +273,9 @@
"yourKeyIsUnregistered":"تمت إزالة المفتاح",
"yourKeyIsVerified":"تم اختبار المفتاح الخاص بك بنجاح",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourOffline": "and access your account while you are offline",
"yourPhone":"رقم هاتفك",
"yourProfile":"ملفك الشخصي",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}
}

15
lemonldap-ng-portal/site/htdocs/static/languages/de.json
View File

@ -184,7 +184,7 @@
"notFound":"Nicht gefunden: Du versuchst, auf eine nicht verfügbare Seite zuzugreifen",
"noTOTPFound":"Kein TOTP gefunden",
"noU2FKeyFound":"Kein U2F Schlüssel gefunden",
"oidcConsent":"Die Anwendung %s möchte wissen:",
"oidcConsent":"Die Anwendung %s möchte:",
"oidcConsents":"OIDC consents",
"oidcConsentsFull":"OpenID Connect consents",
"oneExpired2Fremoved":"An expired 2F device has been removed!",
@ -263,18 +263,19 @@
"warning":"Warnung",
"welcomeOnPortal":"Willkommen in Ihrem gesicherten Authentifizierungsportal.",
"yesResendMail":"Ja, Mail erneut senden.",
"yourAddress":"Ihre Adresse",
"yourAddress":"Wissen Ihre Adresse",
"yourApps":"Ihre Applikationen",
"yourEmail":"Ihre Mailadresse",
"yourIdentity":"Ihre Identität",
"yourEmail":"Wissen Ihre Mailadresse",
"yourIdentity":"Wissen Ihre Identität",
"yourIdentityIs":"Ihre Identität ist",
"yourKeyIsRegistered":"Ihr Key wurde registriert",
"yourKeyIsAlreadyRegistered":"Your key is ALREADY registered!",
"yourKeyIsUnregistered":"Your key has been unregistered",
"yourKeyIsVerified":"Ihr Key ist bestätigt",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourPhone":"Ihre Telefonnummer",
"yourProfile":"Ihr Profil",
"yourOffline": "and access your account while you are offline",
"yourPhone":"Wissen Ihre Telefonnummer",
"yourProfile":"Wissen Ihr Profil",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}
}

13
lemonldap-ng-portal/site/htdocs/static/languages/en.json
View File

@ -184,7 +184,7 @@
"notFound": "Not found: you try to access to an unavailable page",
"noTOTPFound":"No TOTP found",
"noU2FKeyFound": "No U2F key found",
"oidcConsent":"The application %s would like to know:",
"oidcConsent":"The application %s would like to:",
"oidcConsents": "OIDC consents",
"oidcConsentsFull":"OpenID Connect consents",
"oneExpired2Fremoved":"An expired 2F device has been removed!",
@ -263,18 +263,19 @@
"warning":"Warning",
"welcomeOnPortal":"Welcome on your secured authentication portal.",
"yesResendMail":"Yes, resend the mail",
"yourAddress":"Your address",
"yourAddress":"Know your address",
"yourApps":"Your applications",
"yourEmail":"Your email",
"yourIdentity":"Your identity",
"yourEmail":"Know your email",
"yourIdentity":"Know your identity",
"yourIdentityIs":"Your identity is",
"yourKeyIsRegistered":"Your key is registered",
"yourKeyIsAlreadyRegistered":"Your key is ALREADY registered!",
"yourKeyIsUnregistered":"Your key has been unregistered",
"yourKeyIsVerified":"Your key is verified",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourPhone":"Your phone number",
"yourProfile":"Your profile",
"yourOffline": "Access your account while you are offline",
"yourPhone":"Know your phone number",
"yourProfile":"Know your profile",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}

3
lemonldap-ng-portal/site/htdocs/static/languages/es.json
View File

@ -273,8 +273,9 @@
"yourKeyIsUnregistered":"Su llave ha sido suprimida",
"yourKeyIsVerified":"Su llave está verificada",
"yourNewTotpKey":"Su nueva llave TOTP, por favor pruébela e ingrese el código",
"yourOffline": "Access your account while you are offline",
"yourPhone":"Su número telefónico",
"yourProfile":"Su perfil",
"yourTotpKey":"Su llave TOTP",
"yubikey2f":"Yubikey"
}
}

5
lemonldap-ng-portal/site/htdocs/static/languages/fi.json
View File

@ -184,7 +184,7 @@
"notFound":"Not found: you try to access to an unavailable page",
"noTOTPFound":"No TOTP found",
"noU2FKeyFound":"No U2F key found",
"oidcConsent":"The application %s would like to know:",
"oidcConsent":"The application %s would like to:",
"oidcConsents":"OIDC consents",
"oidcConsentsFull":"OpenID Connect consents",
"oneExpired2Fremoved":"An expired 2F device has been removed!",
@ -273,8 +273,9 @@
"yourKeyIsUnregistered":"Your key has been unregistered",
"yourKeyIsVerified":"Your key is verified",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourOffline": "and access your account while you are offline",
"yourPhone":"Puhelinnumerosi",
"yourProfile":"Profiilisi",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}
}

13
lemonldap-ng-portal/site/htdocs/static/languages/fr.json
View File

@ -184,7 +184,7 @@
"notFound": "Non trouvé : vous tentez d'accéder à une page non disponible",
"noTOTPFound":"Aucun secret TOTP trouvé",
"noU2FKeyFound": "Aucune clef U2F trouvée",
"oidcConsent":"L'application %s voudrait connaître :",
"oidcConsent":"L'application %s voudrait :",
"oidcConsents": "Accords OIDC",
"oidcConsentsFull":"Accords OpenID Connect",
"oneExpired2Fremoved":"Un second facteur expiré a été supprimé !",
@ -263,18 +263,19 @@
"warning":"Attention",
"welcomeOnPortal":"Bienvenue sur votre portail d'authentification sécurisée.",
"yesResendMail":"Oui, renvoyer le mail",
"yourAddress":"Votre adresse",
"yourAddress":"Connaître votre adresse",
"yourApps":"Vos applications",
"yourEmail":"Votre adresse électronique",
"yourIdentity":"Votre identité",
"yourEmail":"Connaître votre adresse électronique",
"yourIdentity":"Connaître votre identité",
"yourIdentityIs":"Votre identité est",
"yourKeyIsRegistered":"Votre clef est enregistrée",
"yourKeyIsAlreadyRegistered":"Votre clef est déjà enregistrée !",
"yourKeyIsUnregistered":"Votre clef a été supprimée",
"yourKeyIsVerified":"Votre clef est vérifiée",
"yourNewTotpKey":"Votre nouvelle clef TOTP. Testez-la et entrez le code",
"yourPhone":"Votre numéro de téléphone",
"yourProfile":"Vos informations personnelles",
"yourOffline": "Accéder à votre compte lorsque vous êtes hors-ligne",
"yourPhone":"Connaître votre numéro de téléphone",
"yourProfile":"Connaître vos informations personnelles",
"yourTotpKey":"Votre clef TOTP",
"yubikey2f":"Yubikey"
}

15
lemonldap-ng-portal/site/htdocs/static/languages/it.json
View File

@ -184,7 +184,7 @@
"notFound":"Non trovato: si tenta di accedere ad una pagina non disponibile",
"noTOTPFound":"Nessun TOTP trovato",
"noU2FKeyFound":"Nessuna chiave U2F trovata",
"oidcConsent":"L'applicazione %s vorrebbe sapere:",
"oidcConsent":"L'applicazione %s vorrebbe:",
"oidcConsents":"Consensi OIDC",
"oidcConsentsFull":"Consensi OpenID Connect",
"oneExpired2Fremoved":"An expired 2F device has been removed!",
@ -263,18 +263,19 @@
"warning":"Avvertimento",
"welcomeOnPortal":"Benvenuto sul tuo portale di autenticazione protetta.",
"yesResendMail":"Sì, rinvia e-mail",
"yourAddress":"Il vostro indirizzo",
"yourAddress":"Sapere vostro indirizzo",
"yourApps":"Le vostre applicazioni",
"yourEmail":"E-mail",
"yourIdentity":"Identità",
"yourEmail":"Sapere vostro E-mail",
"yourIdentity":"Sapere vostro Identità",
"yourIdentityIs":"La tua identità é",
"yourKeyIsRegistered":"La vostra chiave è registrata",
"yourKeyIsAlreadyRegistered":"La tua chiave è GIÀ registrata !",
"yourKeyIsUnregistered":"La vostra chiave è stata rimossa",
"yourKeyIsVerified":"La tua chiave é stata testata con successo",
"yourNewTotpKey":"La tua nuova chiave TOTP, per favore provala e inserisci il codice",
"yourPhone":"Numero di telefono",
"yourProfile":"Il tuo profilo",
"yourOffline": "and access your account while you are offline",
"yourPhone":"Sapere vostro numero di telefono",
"yourProfile":"Sapere vostro profilo",
"yourTotpKey":"La tua chiave TOTP",
"yubikey2f":"Yubikey"
}
}

15
lemonldap-ng-portal/site/htdocs/static/languages/nl.json
View File

@ -184,7 +184,7 @@
"notFound":"Not found: you try to access to an unavailable page",
"noTOTPFound":"No TOTP found",
"noU2FKeyFound":"No U2F key found",
"oidcConsent":"The application %s would like to know:",
"oidcConsent":"The application %s would like to:",
"oidcConsents":"OIDC consents",
"oidcConsentsFull":"OpenID Connect consents",
"oneExpired2Fremoved":"An expired 2F device has been removed!",
@ -263,18 +263,19 @@
"warning":"Warning",
"welcomeOnPortal":"Welcome on your secured authentication portal.",
"yesResendMail":"Yes, resend the mail",
"yourAddress":"Your address",
"yourAddress":"Know your address",
"yourApps":"Your applications",
"yourEmail":"Your email",
"yourIdentity":"Your identity",
"yourEmail":"Know your email",
"yourIdentity":"Know your identity",
"yourIdentityIs":"Your identity is",
"yourKeyIsRegistered":"Your key is registered",
"yourKeyIsAlreadyRegistered":"Your key is ALREADY registered!",
"yourKeyIsUnregistered":"Your key has been unregistered",
"yourKeyIsVerified":"Your key is verified",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourPhone":"Your phone number",
"yourProfile":"Your profile",
"yourOffline": "Access your account while you are offline",
"yourPhone":"Know your phone number",
"yourProfile":"Know your profile",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}
}

15
lemonldap-ng-portal/site/htdocs/static/languages/pt.json
View File

@ -184,7 +184,7 @@
"notFound":"Not found: you try to access to an unavailable page",
"noTOTPFound":"No TOTP found",
"noU2FKeyFound":"No U2F key found",
"oidcConsent":"The application %s would like to know:",
"oidcConsent":"The application %s would like to:",
"oidcConsents":"OIDC consents",
"oidcConsentsFull":"OpenID Connect consents",
"oneExpired2Fremoved":"An expired 2F device has been removed!",
@ -263,18 +263,19 @@
"warning":"Warning",
"welcomeOnPortal":"Welcome on your secured authentication portal.",
"yesResendMail":"Yes, resend the mail",
"yourAddress":"Your address",
"yourAddress":"Know your address",
"yourApps":"Your applications",
"yourEmail":"Your email",
"yourIdentity":"Your identity",
"yourEmail":"Know your email",
"yourIdentity":"Know your identity",
"yourIdentityIs":"Your identity is",
"yourKeyIsRegistered":"Your key is registered",
"yourKeyIsAlreadyRegistered":"Your key is ALREADY registered!",
"yourKeyIsUnregistered":"Your key has been unregistered",
"yourKeyIsVerified":"Your key is verified",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourPhone":"Your phone number",
"yourProfile":"Your profile",
"yourOffline": "Access your account while you are offline",
"yourPhone":"Know your phone number",
"yourProfile":"Know your profile",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}
}

15
lemonldap-ng-portal/site/htdocs/static/languages/ro.json
View File

@ -184,7 +184,7 @@
"notFound":"Not found: you try to access to an unavailable page",
"noTOTPFound":"No TOTP found",
"noU2FKeyFound":"No U2F key found",
"oidcConsent":"The application %s would like to know:",
"oidcConsent":"The application %s would like to:",
"oidcConsents":"OIDC consents",
"oidcConsentsFull":"OpenID Connect consents",
"oneExpired2Fremoved":"An expired 2F device has been removed!",
@ -263,18 +263,19 @@
"warning":"Warning",
"welcomeOnPortal":"Welcome on your secured authentication portal.",
"yesResendMail":"Yes, resend the mail",
"yourAddress":"Your address",
"yourAddress":"Know your address",
"yourApps":"Your applications",
"yourEmail":"Your email",
"yourIdentity":"Your identity",
"yourEmail":"Know your email",
"yourIdentity":"Know your identity",
"yourIdentityIs":"Your identity is",
"yourKeyIsRegistered":"Your key is registered",
"yourKeyIsAlreadyRegistered":"Your key is ALREADY registered!",
"yourKeyIsUnregistered":"Your key has been unregistered",
"yourKeyIsVerified":"Your key is verified",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourPhone":"Your phone number",
"yourProfile":"Your profile",
"yourOffline": "Access your account while you are offline",
"yourPhone":"Know your phone number",
"yourProfile":"Know your profile",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}
}

3
lemonldap-ng-portal/site/htdocs/static/languages/vi.json
View File

@ -273,8 +273,9 @@
"yourKeyIsUnregistered":"Khóa của bạn đã bị xóa",
"yourKeyIsVerified":"Chìa khóa của bạn đã được kiểm tra thành công",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourOffline": "and access your account while you are offline",
"yourPhone":"Số điện thoại của bạn",
"yourProfile":"Profile của bạn",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}
}

5
lemonldap-ng-portal/site/htdocs/static/languages/zh.json
View File

@ -184,7 +184,7 @@
"notFound":"无法找到:您请求的网页不存在。",
"noTOTPFound":"No TOTP found",
"noU2FKeyFound":"No U2F key found",
"oidcConsent":"The application %s would like to know:",
"oidcConsent":"The application %s would like to:",
"oidcConsents":"OIDC consents",
"oidcConsentsFull":"OpenID Connect consents",
"oneExpired2Fremoved":"An expired 2F device has been removed!",
@ -273,8 +273,9 @@
"yourKeyIsUnregistered":"Your key has been unregistered",
"yourKeyIsVerified":"Your key is verified",
"yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
"yourOffline": "and access your account while you are offline",
"yourPhone":"您的电话号码",
"yourProfile":"您的档案",
"yourTotpKey":"Your TOTP key",
"yubikey2f":"Yubikey"
}
}

223
lemonldap-ng-portal/t/32-OIDC-Offline-Session.t Normal file
View File

@ -0,0 +1,223 @@
use lib 'inc';
use Test::More;
use strict;
use IO::String;
use LWP::UserAgent;
use LWP::Protocol::PSGI;
use MIME::Base64;
BEGIN {
require 't/test-lib.pm';
}
my $debug = 'error';
# Initialization
my $op = LLNG::Manager::Test->new( {
ini => {
logLevel => $debug,
domain => 'idp.com',
portal => 'http://auth.op.com',
authentication => 'Demo',
userDB => 'Same',
issuerDBOpenIDConnectActivation => 1,
issuerDBOpenIDConnectRule => '$uid eq "french"',
oidcRPMetaDataExportedVars => {
rp => {
email => "mail",
family_name => "cn",
name => "cn"
}
},
oidcServiceMetaDataIssuer => "http://auth.op.com",
oidcServiceMetaDataAuthorizeURI => "authorize",
oidcServiceMetaDataCheckSessionURI => "checksession.html",
oidcServiceMetaDataJWKSURI => "jwks",
oidcServiceMetaDataEndSessionURI => "logout",
oidcServiceMetaDataRegistrationURI => "register",
oidcServiceMetaDataTokenURI => "token",
oidcServiceMetaDataUserInfoURI => "userinfo",
oidcServiceAllowHybridFlow => 1,
oidcServiceAllowImplicitFlow => 1,
oidcServiceAllowDynamicRegistration => 1,
oidcServiceAllowAuthorizationCodeFlow => 1,
oidcRPMetaDataOptions => {
rp => {
oidcRPMetaDataOptionsDisplayName => "RP",
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
oidcRPMetaDataOptionsClientID => "rpid",
oidcRPMetaDataOptionsAllowOffline => 1,
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
oidcRPMetaDataOptionsClientSecret => "rpsecret",
oidcRPMetaDataOptionsUserIDAttr => "",
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
oidcRPMetaDataOptionsBypassConsent => 1,
}
},
oidcOPMetaDataOptions => {},
oidcOPMetaDataJSON => {},
oidcOPMetaDataJWKS => {},
oidcServiceMetaDataAuthnContext => {
'loa-4' => 4,
'loa-1' => 1,
'loa-5' => 5,
'loa-2' => 2,
'loa-3' => 3
},
oidcServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt
GMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb
ABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr
8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdykX5rx0h5SslG3jVWYhZ/SOb2aIzO
r0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO8093X5VVk9vaPRg0zxJQ0Do0YLyzkR
isSAIFb0tdKuDnjRGK6y/N2j6At2HjkxntbtGQIDAQABAoIBADYq6LxJd977LWy3
0HT9nboFPIf+SM2qSEc/S5Po+6ipJBA4ZlZCMf7dHa6znet1TDpqA9iQ4YcqIHMH
6xZNQ7hhgSAzG9TrXBHqP+djDlrrGWotvjuy0IfS9ixFnnLWjrtAH9afRWLuG+a/
NHNC1M6DiiTE0TzL/lpt/zzut3CNmWzH+t19X6UsxUg95AzooEeewEYkv25eumWD
mfQZfCtSlIw1sp/QwxeJa/6LJw7KcPZ1wXUm1BN0b9eiKt9Cmni1MS7elgpZlgGt
xtfGTZtNLQ7bgDiM8MHzUfPBhbceNSIx2BeCuOCs/7eaqgpyYHBbAbuBQex2H61l
Lcc3Tz0CgYEA4Kx/avpCPxnvsJ+nHVQm5d/WERuDxk4vH1DNuCYBvXTdVCGADf6a
F5No1JcTH3nPTyPWazOyGdT9LcsEJicLyD8vCM6hBFstG4XjqcAuqG/9DRsElpHQ
yi1zc5DNP7Vxmiz9wII0Mjy0abYKtxnXh9YK4a9g6wrcTpvShhIcIb8CgYEAzGzG
lorVCfX9jXULIznnR/uuP5aSnTEsn0xJeqTlbW0RFWLdj8aIL1peirh1X89HroB9
GeTNqEJXD+3CVL2cx+BRggMDUmEz4hR59meZCDGUyT5fex4LIsceb/ESUl2jo6Sw
HXwWbN67rQ55N4oiOcOppsGxzOHkl5HdExKidycCgYEAr5Qev2tz+fw65LzfzHvH
Kj4S/KuT/5V6He731cFd+sEpdmX3vPgLVAFPG1Q1DZQT/rTzDDQKK0XX1cGiLG63
NnaqOye/jbfzOF8Z277kt51NFMDYhRLPKDD82IOA4xjY/rPKWndmcxwdob8yAIWh
efY76sMz6ntCT+xWSZA9i+ECgYBWMZM2TIlxLsBfEbfFfZewOUWKWEGvd9l5vV/K
D5cRIYivfMUw5yPq2267jPUolayCvniBH4E7beVpuPVUZ7KgcEvNxtlytbt7muil
5Z6X3tf+VodJ0Swe2NhTmNEB26uwxzLe68BE3VFCsbSYn2y48HAq+MawPZr18bHG
ZfgMxwKBgHHRg6HYqF5Pegzk1746uH2G+OoCovk5ylGGYzcH2ghWTK4agCHfBcDt
EYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy
PAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl
-----END RSA PRIVATE KEY-----
",
oidcServicePublicKeySig => "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/
/5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T
rH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH
1caJ8lmiERFj7IvNKqEhzAk0pyDr8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdy
kX5rx0h5SslG3jVWYhZ/SOb2aIzOr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO80
93X5VVk9vaPRg0zxJQ0Do0YLyzkRisSAIFb0tdKuDnjRGK6y/N2j6At2Hjkxntbt
GQIDAQAB
-----END PUBLIC KEY-----
",
}
}
);
my $res;
my $url = "/";
my $query = "user=french&password=french";
$res = $op->_post(
"/",
IO::String->new($query),
accept => 'text/html',
length => length($query),
);
my $idpId = expectCookie($res);
my $query =
"response_type=code&scope=openid%20profile%20email%20offline_access&"
. "client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Ftest%2F";
$res = $op->_get(
"/oauth2/authorize",
query => "$query",
accept => 'text/html',
cookie => "lemonldap=$idpId",
);
my ($code) = expectRedirection( $res, qr#http://test/.*code=([^\&]*)# );
$query =
"grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Ftest%2F";
$res = $op->_post(
"/oauth2/token",
IO::String->new($query),
accept => 'text/html',
length => length($query),
custom => {
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
},
);
my $json = expectJSON($res);
my $access_token = $json->{access_token};
my $refresh_token = $json->{refresh_token};
my $id_token = $json->{id_token};
ok( $access_token, "Got access token" );
ok( $refresh_token, "Got refresh token" );
ok( $id_token, "Got ID token" );
count(3);
# Get userinfo
$res = $op->_post(
"/oauth2/userinfo",
IO::String->new(''),
accept => 'text/html',
length => 0,
custom => {
HTTP_AUTHORIZATION => "Bearer " . $access_token,
},
);
$json = expectJSON($res);
ok( $json->{'name'} eq "Frédéric Accents", 'Got User Info' );
count(1);
$op->logout($idpId);
# Refresh access token
$query = "grant_type=refresh_token&refresh_token=$refresh_token";
ok(
$res = $op->_post(
"/oauth2/token",
IO::String->new($query),
accept => 'text/html',
length => length($query),
custom => {
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
},
),
"Refresh access token"
);
count(1);
expectOK($res);
$json = expectJSON($res);
$access_token = $json->{access_token};
$refresh_token = $json->{refresh_token};
$id_token = $json->{id_token};
ok( $access_token, "Got refreshed Access token" );
ok( $id_token, "Got refreshed ID token" );
ok( !defined $refresh_token, "Refresh token not present" );
count(3);
## Get userinfo again
ok(
$res = $op->_post(
"/oauth2/userinfo",
IO::String->new(''),
accept => 'text/html',
length => 0,
custom => {
HTTP_AUTHORIZATION => "Bearer " . $access_token,
},
),
"Post new access token"
);
expectOK($res);
count(1);
$json = expectJSON($res);
ok( $json->{name} eq "Frédéric Accents", "Correct user info" );
count(1);
clean_sessions();
done_testing( count() );

264
lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t Normal file
View File

@ -0,0 +1,264 @@
use lib 'inc';
use Test::More;
use strict;
use IO::String;
use LWP::UserAgent;
use LWP::Protocol::PSGI;
use MIME::Base64;
BEGIN {
require 't/test-lib.pm';
}
my $debug = 'error';
# Initialization
my $op = LLNG::Manager::Test->new( {
ini => {
logLevel => $debug,
domain => 'idp.com',
portal => 'http://auth.op.com',
authentication => 'Demo',
userDB => 'Same',
issuerDBOpenIDConnectActivation => 1,
issuerDBOpenIDConnectRule => '$uid eq "french"',
oidcRPMetaDataExportedVars => {
rp => {
email => "mail",
family_name => "cn",
name => "cn"
}
},
oidcServiceMetaDataIssuer => "http://auth.op.com",
oidcServiceMetaDataAuthorizeURI => "authorize",
oidcServiceMetaDataCheckSessionURI => "checksession.html",
oidcServiceMetaDataJWKSURI => "jwks",
oidcServiceMetaDataEndSessionURI => "logout",
oidcServiceMetaDataRegistrationURI => "register",
oidcServiceMetaDataTokenURI => "token",
oidcServiceMetaDataUserInfoURI => "userinfo",
oidcServiceAllowHybridFlow => 1,
oidcServiceAllowImplicitFlow => 1,
oidcServiceAllowDynamicRegistration => 1,
oidcServiceAllowAuthorizationCodeFlow => 1,
oidcRPMetaDataOptions => {
rp => {
oidcRPMetaDataOptionsDisplayName => "RP",
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
oidcRPMetaDataOptionsClientID => "rpid",
oidcRPMetaDataOptionsAllowOffline => 1,
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
oidcRPMetaDataOptionsClientSecret => "rpsecret",
oidcRPMetaDataOptionsUserIDAttr => "",
oidcRPMetaDataOptionsAccessTokenExpiration => 1,
oidcRPMetaDataOptionsBypassConsent => 1,
oidcRPMetaDataOptionsRefreshToken => 1,
}
},
oidcOPMetaDataOptions => {},
oidcOPMetaDataJSON => {},
oidcOPMetaDataJWKS => {},
oidcServiceMetaDataAuthnContext => {
'loa-4' => 4,
'loa-1' => 1,
'loa-5' => 5,
'loa-2' => 2,
'loa-3' => 3
},
oidcServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt
GMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb
ABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr
8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdykX5rx0h5SslG3jVWYhZ/SOb2aIzO
r0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO8093X5VVk9vaPRg0zxJQ0Do0YLyzkR
isSAIFb0tdKuDnjRGK6y/N2j6At2HjkxntbtGQIDAQABAoIBADYq6LxJd977LWy3
0HT9nboFPIf+SM2qSEc/S5Po+6ipJBA4ZlZCMf7dHa6znet1TDpqA9iQ4YcqIHMH
6xZNQ7hhgSAzG9TrXBHqP+djDlrrGWotvjuy0IfS9ixFnnLWjrtAH9afRWLuG+a/
NHNC1M6DiiTE0TzL/lpt/zzut3CNmWzH+t19X6UsxUg95AzooEeewEYkv25eumWD
mfQZfCtSlIw1sp/QwxeJa/6LJw7KcPZ1wXUm1BN0b9eiKt9Cmni1MS7elgpZlgGt
xtfGTZtNLQ7bgDiM8MHzUfPBhbceNSIx2BeCuOCs/7eaqgpyYHBbAbuBQex2H61l
Lcc3Tz0CgYEA4Kx/avpCPxnvsJ+nHVQm5d/WERuDxk4vH1DNuCYBvXTdVCGADf6a
F5No1JcTH3nPTyPWazOyGdT9LcsEJicLyD8vCM6hBFstG4XjqcAuqG/9DRsElpHQ
yi1zc5DNP7Vxmiz9wII0Mjy0abYKtxnXh9YK4a9g6wrcTpvShhIcIb8CgYEAzGzG
lorVCfX9jXULIznnR/uuP5aSnTEsn0xJeqTlbW0RFWLdj8aIL1peirh1X89HroB9
GeTNqEJXD+3CVL2cx+BRggMDUmEz4hR59meZCDGUyT5fex4LIsceb/ESUl2jo6Sw
HXwWbN67rQ55N4oiOcOppsGxzOHkl5HdExKidycCgYEAr5Qev2tz+fw65LzfzHvH
Kj4S/KuT/5V6He731cFd+sEpdmX3vPgLVAFPG1Q1DZQT/rTzDDQKK0XX1cGiLG63
NnaqOye/jbfzOF8Z277kt51NFMDYhRLPKDD82IOA4xjY/rPKWndmcxwdob8yAIWh
efY76sMz6ntCT+xWSZA9i+ECgYBWMZM2TIlxLsBfEbfFfZewOUWKWEGvd9l5vV/K
D5cRIYivfMUw5yPq2267jPUolayCvniBH4E7beVpuPVUZ7KgcEvNxtlytbt7muil
5Z6X3tf+VodJ0Swe2NhTmNEB26uwxzLe68BE3VFCsbSYn2y48HAq+MawPZr18bHG
ZfgMxwKBgHHRg6HYqF5Pegzk1746uH2G+OoCovk5ylGGYzcH2ghWTK4agCHfBcDt
EYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy
PAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl
-----END RSA PRIVATE KEY-----
",
oidcServicePublicKeySig => "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/
/5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T
rH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH
1caJ8lmiERFj7IvNKqEhzAk0pyDr8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdy
kX5rx0h5SslG3jVWYhZ/SOb2aIzOr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO80
93X5VVk9vaPRg0zxJQ0Do0YLyzkRisSAIFb0tdKuDnjRGK6y/N2j6At2Hjkxntbt
GQIDAQAB
-----END PUBLIC KEY-----
",
}
}
);
my $res;
my $url = "/";
my $query = "user=french&password=french";
$res = $op->_post(
"/",
IO::String->new($query),
accept => 'text/html',
length => length($query),
);
my $idpId = expectCookie($res);
my $query =
"response_type=code&scope=openid%20profile%20email&"
. "client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Ftest%2F";
$res = $op->_get(
"/oauth2/authorize",
query => "$query",
accept => 'text/html',
cookie => "lemonldap=$idpId",
);
my ($code) = expectRedirection( $res, qr#http://test/.*code=([^\&]*)# );
$query =
"grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Ftest%2F";
$res = $op->_post(
"/oauth2/token",
IO::String->new($query),
accept => 'application/json',
length => length($query),
custom => {
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
},
);
my $json = expectJSON($res);
my $access_token = $json->{access_token};
my $refresh_token = $json->{refresh_token};
my $id_token = $json->{id_token};
ok( $access_token, "Got access token" );
ok( $refresh_token, "Got refresh token" );
ok( $id_token, "Got ID token" );
# Get userinfo
$res = $op->_post(
"/oauth2/userinfo",
IO::String->new(''),
accept => 'application/json',
length => 0,
custom => {
HTTP_AUTHORIZATION => "Bearer " . $access_token,
},
);
$json = expectJSON($res);
ok( $json->{'name'} eq "Frédéric Accents", 'Got User Info' );
sleep(2);
# Access token should have expired
$res = $op->_post(
"/oauth2/userinfo",
IO::String->new(''),
accept => 'application/json',
length => 0,
custom => {
HTTP_AUTHORIZATION => "Bearer " . $access_token,
},
);
is( $res->[0], 401, "Access token refused" );
# Refresh access token
$query = "grant_type=refresh_token&refresh_token=$refresh_token";
ok(
$res = $op->_post(
"/oauth2/token",
IO::String->new($query),
accept => 'text/html',
length => length($query),
custom => {
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
},
),
"Refresh access token"
);
expectOK($res);
$json = expectJSON($res);
$access_token = $json->{access_token};
$id_token = $json->{id_token};
ok( $access_token, "Got refreshed Access token" );
ok( $id_token, "Got refreshed ID token" );
ok( !defined $json->{refresh_token}, "Refresh token not present" );
# Try refreshed access token
$res = $op->_post(
"/oauth2/userinfo",
IO::String->new(''),
accept => 'application/json',
length => 0,
custom => {
HTTP_AUTHORIZATION => "Bearer " . $access_token,
},
);
$json = expectJSON($res);
ok( $json->{'name'} eq "Frédéric Accents", 'Got User Info' );
# Check failure conditions
$op->logout($idpId);
# Refresh access token
$query = "grant_type=refresh_token&refresh_token=$refresh_token";
ok(
$res = $op->_post(
"/oauth2/token",
IO::String->new($query),
accept => 'text/html',
length => length($query),
custom => {
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
},
),
"Refresh access token"
);
is( $res->[0], 401, "Cannot use refresh token tied to expired session" );
## Get userinfo again
ok(
$res = $op->_post(
"/oauth2/userinfo",
IO::String->new(''),
accept => 'text/html',
length => 0,
custom => {
HTTP_AUTHORIZATION => "Bearer " . $access_token,
},
),
"Post new access token"
);
is( $res->[0], 401,
"Cannot use refreshed access token tied to expired session" );
clean_sessions();
done_testing();

30
lemonldap-ng-portal/t/32-OIDC-Token-Security.t
View File

@ -148,7 +148,7 @@ ok(
accept => 'text/html',
cookie => "lemonldap=$idpId",
),
"Get authorization code"
"Get authorization code for rp1"
);
count(1);
@ -168,17 +168,33 @@ ok(
HTTP_AUTHORIZATION => "Basic " . encode_base64("rp2id:rp2secret"),
},
),
"Post token"
"Post token on wrong RP"
);
count(1);
# Expect an invalid request
is( $res->[0], 400 );
is( $res->[0], 400, "Got invalid request" );
count(1);
# Get new code for RP1
my $query =
"response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp.com%2F";
ok(
$res = $op->_get(
"/oauth2/authorize",
query => "$query",
accept => 'text/html',
cookie => "lemonldap=$idpId",
),
"Get authorization code again"
);
count(1);
my ($code) = expectRedirection( $res, qr#http://rp\.com/.*code=([^\&]*)# );
# Play code on RP1
$query =
"grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Frp2.com%2F";
"grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Frp.com%2F";
ok(
$res = $op->_post(
@ -190,7 +206,7 @@ ok(
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
},
),
"Post token"
"Post auth code on correct RP"
);
count(1);
$res = expectJSON($res);
@ -209,10 +225,10 @@ ok(
HTTP_AUTHORIZATION => "Bearer " . $token,
},
),
"Post userinfo"
"post to userinfo with expired access token"
);
count(1);
is( $res->[0], 401, "Access denied with expired token" );
ok( $res->[0] == 401, "Access denied with expired token" );
count(1);
clean_sessions();