Merge branch 'v2.0'
This commit is contained in:
commit
95e53e0a5f
|
@ -50,8 +50,8 @@ Then, go in ``Choice Parameters``:
|
|||
- **URL parameter**: parameter name used to set choice value (default:
|
||||
``lmAuth``)
|
||||
- **Allowed modules**: click on ``New chain`` to add a choice.
|
||||
- **AuthBasic handler parameter**: authentication module called by
|
||||
AuthBasic handler (:doc:`AuthBasic handler<handlerauthbasic>`)
|
||||
- **Choice used for password authentication**: authentication module used by
|
||||
:doc:`AuthBasic handler<handlerauthbasic>` and :ref:`OAuth2.0 Password Grant <resource-owner-password-grant>`
|
||||
- **FindUser plugin parameter**: authentication module called by
|
||||
Find user plugin (:doc:`Find user plugin<finduser>`)
|
||||
|
||||
|
|
|
@ -53,7 +53,7 @@ to access required locations in Portal Virtual Host.
|
|||
|
||||
requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
|
||||
|
||||
With AutChoice, you have to declare which authentication module is
|
||||
With :doc:`authchoice`, you have to declare which authentication module is
|
||||
requested by handler to create global session.
|
||||
|
||||
Go to:
|
||||
|
@ -61,7 +61,7 @@ to access required locations in Portal Virtual Host.
|
|||
|
||||
and set authentication module's name :
|
||||
|
||||
**AuthBasic handler parameter** => 2_LDAP (by example)
|
||||
**Choice used for password authentication** => 2_LDAP (by example)
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -339,6 +339,10 @@ Resource Owner Password Credentials Grant
|
|||
|
||||
The Resource Owner Password Credentials Grant allows you to exchange a user's login and password for an access token. This must be considered a legacy form of authentication, since the Authorization Code web-based flow is prefered for all applications that support it. It can however be useful in some scenarios involving technical accounts that cannot implement a web-based authentication flow.
|
||||
|
||||
.. versionchanged:: 2.0.12
|
||||
|
||||
when using the :doc:`Choice <authchoice>` authentication module, the *Choice used for password authentication* setting can be used to select which authentication choice is used by the Resource Owner Password Credentials Grant. Naturally, the selected choice must be a password-based authentication method (LDAP, DBI, REST, etc.)
|
||||
|
||||
.. seealso::
|
||||
|
||||
`Specification for the Resource Owner Password Credentials Grant <https://tools.ietf.org/html/rfc6749#section-4.3>`__
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"الترخيص وقاعدة بيانات المستخدم",
|
||||
"authChain":"سلسلة إثبات الهوية",
|
||||
"authChoice":"اختيار إثبات الهوية",
|
||||
"authChoiceAuthBasic":"AuthBasic handler parameter",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser plugin parameter",
|
||||
"authChoiceModules":"الوحدات المسموح بها",
|
||||
"authChoiceParam":"معايير URL",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"Authz and user DB",
|
||||
"authChain":"Authentication chain",
|
||||
"authChoice":"Authentication choice",
|
||||
"authChoiceAuthBasic":"AuthBasic handler parameter",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser plugin parameter",
|
||||
"authChoiceModules":"Allowed modules",
|
||||
"authChoiceParam":"URL parameter",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"Authz and user DB",
|
||||
"authChain":"Authentication chain",
|
||||
"authChoice":"Authentication choice",
|
||||
"authChoiceAuthBasic":"AuthBasic handler parameter",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser plugin parameter",
|
||||
"authChoiceModules":"Allowed modules",
|
||||
"authChoiceParam":"URL parameter",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"Authz and user DB",
|
||||
"authChain":"Cadena de autentificación",
|
||||
"authChoice":"Opción de autentificación",
|
||||
"authChoiceAuthBasic":"AuthBasic handler parameter",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser plugin parameter",
|
||||
"authChoiceModules":"Módulos permitidos",
|
||||
"authChoiceParam":"Parámetro URL",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"Authent. et BD utilisateurs",
|
||||
"authChain":"Chaîne d'authentification",
|
||||
"authChoice":"Choix d'authentification",
|
||||
"authChoiceAuthBasic":"Paramètre du handler AuthBasic",
|
||||
"authChoiceAuthBasic":"Choix à utiliser pour l'authentification par mot de passe",
|
||||
"authChoiceFindUser":"Paramètre de recherche de compte",
|
||||
"authChoiceModules":"Modules autorisés",
|
||||
"authChoiceParam":"Paramètre de l'URL",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"Authz e utente DB",
|
||||
"authChain":"Catena di autenticazione",
|
||||
"authChoice":"Scelta di autenticazione",
|
||||
"authChoiceAuthBasic":"AuthBasic handler parameter",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser plugin parameter",
|
||||
"authChoiceModules":"Moduli consentiti",
|
||||
"authChoiceParam":"Parametri URL",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"Authz i baza danych użytkownika",
|
||||
"authChain":"Łańcuch uwierzytelnienia",
|
||||
"authChoice":"Wybór uwierzytelnienia",
|
||||
"authChoiceAuthBasic":"Parametr handlera AuthBasic",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"Parametr wtyczki FindUser",
|
||||
"authChoiceModules":"Dozwolone moduły",
|
||||
"authChoiceParam":"Parametr adresu URL",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"Yetkilendirme ve kullanıcı veri tabanı",
|
||||
"authChain":"Doğrulama zinciri",
|
||||
"authChoice":"Kimlik doğrulama tercihi",
|
||||
"authChoiceAuthBasic":"AuthBasic işleyici parametresi",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser eklenti parametresi",
|
||||
"authChoiceModules":"İzin verilen modüller",
|
||||
"authChoiceParam":"URL parametresi",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"Authz và user DB",
|
||||
"authChain":"Chuỗi xác thực",
|
||||
"authChoice":"Lựa chọn xác thực",
|
||||
"authChoiceAuthBasic":"AuthBasic handler parameter",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser plugin parameter",
|
||||
"authChoiceModules":"Các mô-đun được phép",
|
||||
"authChoiceParam":"Tham số URL",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"授权和用户数据库",
|
||||
"authChain":"认证chain",
|
||||
"authChoice":"认证方式选择",
|
||||
"authChoiceAuthBasic":"AuthBasic handler parameter",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser plugin parameter",
|
||||
"authChoiceModules":"允许的模块",
|
||||
"authChoiceParam":"URL 参数",
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
"authAndUserdb":"驗證與使用者資料庫",
|
||||
"authChain":"驗證鏈",
|
||||
"authChoice":"驗證選擇",
|
||||
"authChoiceAuthBasic":"AuthBasic 處理程式參數",
|
||||
"authChoiceAuthBasic":"Choice used for password authentication",
|
||||
"authChoiceFindUser":"FindUser plugin parameter",
|
||||
"authChoiceModules":"已允許的模組",
|
||||
"authChoiceParam":"URL 參數",
|
||||
|
|
|
@ -16,6 +16,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
|||
PE_BADCREDENTIALS
|
||||
PE_UNAUTHORIZEDPARTNER
|
||||
PE_OIDC_SERVICE_NOT_ALLOWED
|
||||
PE_FIRSTACCESS
|
||||
);
|
||||
use String::Random qw/random_string/;
|
||||
|
||||
|
@ -1157,6 +1158,9 @@ sub _handlePasswordGrant {
|
|||
$req->parameters->{password} = $password;
|
||||
$req->data->{skipToken} = 1;
|
||||
|
||||
# This makes Auth::Choice use authChoiceAuthBasic if defined
|
||||
$req->data->{_pwdCheck} = 1;
|
||||
|
||||
$req->steps( [
|
||||
@{ $self->p->beforeAuth },
|
||||
$self->p->authProcess,
|
||||
|
@ -1169,6 +1173,15 @@ sub _handlePasswordGrant {
|
|||
);
|
||||
my $result = $self->p->process($req);
|
||||
|
||||
if ( ( $result == PE_FIRSTACCESS )
|
||||
and ( $self->conf->{authentication} eq "Choice" ) )
|
||||
{
|
||||
$self->logger->warn(
|
||||
"Choice module did not know which module to choose. "
|
||||
. "You should define authChoiceAuthBasic or specify desired module in the URL"
|
||||
);
|
||||
}
|
||||
|
||||
$self->logger->debug( "Credentials check returned "
|
||||
. $self->p->_formatProcessResult($result) )
|
||||
if $result;
|
||||
|
|
|
@ -116,6 +116,13 @@ sub checkChoice {
|
|||
}
|
||||
}
|
||||
|
||||
unless ($name) {
|
||||
# Set by OAuth Resource Owner grant // RESTServer pwdCheck
|
||||
if ($req->data->{_pwdCheck} and $self->{conf}->{authChoiceAuthBasic}) {
|
||||
$name = $self->{conf}->{authChoiceAuthBasic};
|
||||
}
|
||||
}
|
||||
|
||||
unless ($name) {
|
||||
|
||||
# Check with other methods
|
||||
|
|
|
@ -697,7 +697,8 @@ sub pwdConfirm {
|
|||
}
|
||||
|
||||
$req->user($user);
|
||||
$req->data->{password} = $password;
|
||||
$req->data->{password} = $password;
|
||||
$req->data->{_pwdCheck} = 1;
|
||||
|
||||
if ( $self->p->_userDB ) {
|
||||
$req->steps( [ 'getUser', 'authenticate' ] );
|
||||
|
@ -736,6 +737,7 @@ sub getUser {
|
|||
}
|
||||
|
||||
$req->user( $user || $mail );
|
||||
$req->data->{_pwdCheck} = 1;
|
||||
|
||||
# Search user in database
|
||||
$req->steps( [
|
||||
|
|
|
@ -17,12 +17,17 @@ my $debug = 'error';
|
|||
# Initialization
|
||||
my $op = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => $debug,
|
||||
domain => 'op.com',
|
||||
portal => 'http://auth.op.com',
|
||||
authentication => 'Demo',
|
||||
userDB => 'Same',
|
||||
macros => {
|
||||
logLevel => $debug,
|
||||
domain => 'op.com',
|
||||
portal => 'http://auth.op.com',
|
||||
authChoiceAuthBasic => "MyChoice",
|
||||
authentication => 'Choice',
|
||||
userDB => 'Same',
|
||||
'authChoiceModules' => {
|
||||
'MyChoice' => 'Demo;Demo;Null;;;{}'
|
||||
},
|
||||
|
||||
macros => {
|
||||
gender => '"32"',
|
||||
_whatToTrace => '$uid',
|
||||
nickname => '"froggie; frenchie"',
|
||||
|
@ -57,7 +62,7 @@ my $op = LLNG::Manager::Test->new( {
|
|||
oidcRPMetaDataScopeRules => {
|
||||
rp => {
|
||||
"read" => '$requested',
|
||||
"french" => '$uid eq "french"',
|
||||
"french" => '$uid eq "french"',
|
||||
"always" => '1',
|
||||
},
|
||||
},
|
||||
|
@ -172,7 +177,8 @@ unlike( $payload->{scope}, qr/\bread\b/,
|
|||
"Scope read not asked, and thus not found" );
|
||||
like( $payload->{scope}, qr/\bfrench\b/, "Attribute-based scope found" );
|
||||
like( $payload->{scope}, qr/\balways\b/, "Rule-enforced scope found" );
|
||||
is ($payload->{scope}, $token_res_scope, "Token response scope matches token scope");
|
||||
is( $payload->{scope}, $token_res_scope,
|
||||
"Token response scope matches token scope" );
|
||||
|
||||
clean_sessions();
|
||||
done_testing();
|
|
@ -3,10 +3,12 @@
|
|||
use strict;
|
||||
use JSON;
|
||||
use Getopt::Long;
|
||||
use Encode::Locale qw/decode_argv/;
|
||||
my ( $portal, $modify, $help, $delete, $reorder );
|
||||
my $json =
|
||||
JSON->new->utf8->pretty()->canonical()->space_before(0)->space_after(0);
|
||||
|
||||
decode_argv();
|
||||
GetOptions(
|
||||
"portal|p" => \$portal,
|
||||
"modify|m" => \$modify,
|
||||
|
|
Loading…
Reference in New Issue