dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check authentication on token endpoint (#184)

Browse Source
This commit is contained in:
Clément Oudot 2015-02-02 09:44:33 +00:00
parent 9f69f03b09
commit 968f0e065a
2 changed files with 71 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
View File

@ -64,7 +64,42 @@ sub issuerForUnAuthUser {
$self->lmLog( "URL $url detected as an OpenID Connect TOKEN URL",
'debug' );
# TODO check authorization header or other authentication scheme
# Check authentication
my ( $client_id, $client_secret ) =
$self->getEndPointAuthenticationCredentials();
unless ( $client_id && $client_secret ) {
$self->lmLog(
"No authentication provided to get token, or authentication type not supported",
"error"
);
$self->returnJSONError("unauthorized_client");
$self->quit;
}
# Verify that client_id is registered in configuration
my $rp = $self->getRP($client_id);
unless ($rp) {
$self->lmLog(
"No registered Relaying Party found with client_id $client_id",
'error'
);
$self->returnJSONError("unauthorized_client");
$self->quit;
}
else {
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
}
# Check client_secret
unless ( $client_secret eq $self->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsClientSecret} )
{
$self->lmLog( "Wrong credentials", "error" );
$self->returnJSONError("access_denied");
$self->quit;
}
# Get code session
my $code = $self->param('code');
@ -130,15 +165,15 @@ sub issuerForUnAuthUser {
# Create id_token
my $id_token_payload_hash = {
iss => $issuer, # Issuer Identifier
sub => $user_id, # Subject Identifier
aud => "dummy", # client_id TODO
exp => "3600", # expiration TODO
iat => time, # Issued time
auth_time => time # Authentication time TODO
# TODO acr
# TODO amr
# TODO azp
iss => $issuer, # Issuer Identifier
sub => $user_id, # Subject Identifier
aud => $client_id, # Audience
exp => "3600", # expiration TODO
iat => time, # Issued time
auth_time => time # Authentication time TODO
# TODO acr
# TODO amr
# TODO azp
};
# JSON and base64
@ -256,7 +291,7 @@ sub issuerForAuthUser {
}
else {
$self->lmLog(
"Cient id "
"Client id "
. $oidc_request->{'client_id'}
. " match RP $rp",
'debug'

26
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm
View File

@ -721,7 +721,7 @@ sub returnJSONError {
print encode_json( { "error" => "$error" } );
}
## @method coid returnJSON(String content);
## @method void returnJSON(String content);
# Print JSON content
# @param content Message
# @return void
@ -731,6 +731,26 @@ sub returnJSON {
print $self->header('application/json');
print encode_json($content);
}
## @method array getEndPointAuthenticationCredentials()
# Get Client ID and Client Secret
# @return array (client_id, client_secret)
sub getEndPointAuthenticationCredentials {
my $self = shift;
my ( $client_id, $client_secret );
my $authorization = $ENV{HTTP_AUTHORIZATION};
if ( $authorization =~ /^Basic (\w+)/i ) {
$self->lmLog( "Method client_secret_basic used", 'debug' );
( $client_id, $client_secret ) = split( /:/, decode_base64($1) );
}
elsif ( $self->param('client_id') && $self->param('client_secret') ) {
$self->lmLog( "Method client_secret_post used", 'debug' );
$client_id = $self->param('client_id');
$client_secret = $self->param('client_secret');
}
return ( $client_id, $client_secret );
}
1;
@ -821,6 +841,10 @@ Print JSON error
Print JSON content
=head2 getEndPointAuthenticationCredentials
Get Client ID and Client Secret
=head1 SEE ALSO
L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>