Check authentication on token endpoint (#184)
This commit is contained in:
parent
9f69f03b09
commit
968f0e065a
@ -64,7 +64,42 @@ sub issuerForUnAuthUser {
|
|||||||
$self->lmLog( "URL $url detected as an OpenID Connect TOKEN URL",
|
$self->lmLog( "URL $url detected as an OpenID Connect TOKEN URL",
|
||||||
'debug' );
|
'debug' );
|
||||||
|
|
||||||
# TODO check authorization header or other authentication scheme
|
# Check authentication
|
||||||
|
my ( $client_id, $client_secret ) =
|
||||||
|
$self->getEndPointAuthenticationCredentials();
|
||||||
|
|
||||||
|
unless ( $client_id && $client_secret ) {
|
||||||
|
$self->lmLog(
|
||||||
|
"No authentication provided to get token, or authentication type not supported",
|
||||||
|
"error"
|
||||||
|
);
|
||||||
|
$self->returnJSONError("unauthorized_client");
|
||||||
|
$self->quit;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Verify that client_id is registered in configuration
|
||||||
|
my $rp = $self->getRP($client_id);
|
||||||
|
|
||||||
|
unless ($rp) {
|
||||||
|
$self->lmLog(
|
||||||
|
"No registered Relaying Party found with client_id $client_id",
|
||||||
|
'error'
|
||||||
|
);
|
||||||
|
$self->returnJSONError("unauthorized_client");
|
||||||
|
$self->quit;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check client_secret
|
||||||
|
unless ( $client_secret eq $self->{oidcRPMetaDataOptions}->{$rp}
|
||||||
|
->{oidcRPMetaDataOptionsClientSecret} )
|
||||||
|
{
|
||||||
|
$self->lmLog( "Wrong credentials", "error" );
|
||||||
|
$self->returnJSONError("access_denied");
|
||||||
|
$self->quit;
|
||||||
|
}
|
||||||
|
|
||||||
# Get code session
|
# Get code session
|
||||||
my $code = $self->param('code');
|
my $code = $self->param('code');
|
||||||
@ -130,15 +165,15 @@ sub issuerForUnAuthUser {
|
|||||||
|
|
||||||
# Create id_token
|
# Create id_token
|
||||||
my $id_token_payload_hash = {
|
my $id_token_payload_hash = {
|
||||||
iss => $issuer, # Issuer Identifier
|
iss => $issuer, # Issuer Identifier
|
||||||
sub => $user_id, # Subject Identifier
|
sub => $user_id, # Subject Identifier
|
||||||
aud => "dummy", # client_id TODO
|
aud => $client_id, # Audience
|
||||||
exp => "3600", # expiration TODO
|
exp => "3600", # expiration TODO
|
||||||
iat => time, # Issued time
|
iat => time, # Issued time
|
||||||
auth_time => time # Authentication time TODO
|
auth_time => time # Authentication time TODO
|
||||||
# TODO acr
|
# TODO acr
|
||||||
# TODO amr
|
# TODO amr
|
||||||
# TODO azp
|
# TODO azp
|
||||||
};
|
};
|
||||||
|
|
||||||
# JSON and base64
|
# JSON and base64
|
||||||
@ -256,7 +291,7 @@ sub issuerForAuthUser {
|
|||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->lmLog(
|
$self->lmLog(
|
||||||
"Cient id "
|
"Client id "
|
||||||
. $oidc_request->{'client_id'}
|
. $oidc_request->{'client_id'}
|
||||||
. " match RP $rp",
|
. " match RP $rp",
|
||||||
'debug'
|
'debug'
|
||||||
|
@ -721,7 +721,7 @@ sub returnJSONError {
|
|||||||
print encode_json( { "error" => "$error" } );
|
print encode_json( { "error" => "$error" } );
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method coid returnJSON(String content);
|
## @method void returnJSON(String content);
|
||||||
# Print JSON content
|
# Print JSON content
|
||||||
# @param content Message
|
# @param content Message
|
||||||
# @return void
|
# @return void
|
||||||
@ -731,6 +731,26 @@ sub returnJSON {
|
|||||||
print $self->header('application/json');
|
print $self->header('application/json');
|
||||||
print encode_json($content);
|
print encode_json($content);
|
||||||
}
|
}
|
||||||
|
## @method array getEndPointAuthenticationCredentials()
|
||||||
|
# Get Client ID and Client Secret
|
||||||
|
# @return array (client_id, client_secret)
|
||||||
|
sub getEndPointAuthenticationCredentials {
|
||||||
|
my $self = shift;
|
||||||
|
my ( $client_id, $client_secret );
|
||||||
|
|
||||||
|
my $authorization = $ENV{HTTP_AUTHORIZATION};
|
||||||
|
if ( $authorization =~ /^Basic (\w+)/i ) {
|
||||||
|
$self->lmLog( "Method client_secret_basic used", 'debug' );
|
||||||
|
( $client_id, $client_secret ) = split( /:/, decode_base64($1) );
|
||||||
|
}
|
||||||
|
elsif ( $self->param('client_id') && $self->param('client_secret') ) {
|
||||||
|
$self->lmLog( "Method client_secret_post used", 'debug' );
|
||||||
|
$client_id = $self->param('client_id');
|
||||||
|
$client_secret = $self->param('client_secret');
|
||||||
|
}
|
||||||
|
|
||||||
|
return ( $client_id, $client_secret );
|
||||||
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
||||||
@ -821,6 +841,10 @@ Print JSON error
|
|||||||
|
|
||||||
Print JSON content
|
Print JSON content
|
||||||
|
|
||||||
|
=head2 getEndPointAuthenticationCredentials
|
||||||
|
|
||||||
|
Get Client ID and Client Secret
|
||||||
|
|
||||||
=head1 SEE ALSO
|
=head1 SEE ALSO
|
||||||
|
|
||||||
L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>
|
L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>
|
||||||
|
Loading…
Reference in New Issue
Block a user