Check authentication on token endpoint (#184)
This commit is contained in:
parent
9f69f03b09
commit
968f0e065a
@ -64,7 +64,42 @@ sub issuerForUnAuthUser {
|
||||
$self->lmLog( "URL $url detected as an OpenID Connect TOKEN URL",
|
||||
'debug' );
|
||||
|
||||
# TODO check authorization header or other authentication scheme
|
||||
# Check authentication
|
||||
my ( $client_id, $client_secret ) =
|
||||
$self->getEndPointAuthenticationCredentials();
|
||||
|
||||
unless ( $client_id && $client_secret ) {
|
||||
$self->lmLog(
|
||||
"No authentication provided to get token, or authentication type not supported",
|
||||
"error"
|
||||
);
|
||||
$self->returnJSONError("unauthorized_client");
|
||||
$self->quit;
|
||||
}
|
||||
|
||||
# Verify that client_id is registered in configuration
|
||||
my $rp = $self->getRP($client_id);
|
||||
|
||||
unless ($rp) {
|
||||
$self->lmLog(
|
||||
"No registered Relaying Party found with client_id $client_id",
|
||||
'error'
|
||||
);
|
||||
$self->returnJSONError("unauthorized_client");
|
||||
$self->quit;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
|
||||
}
|
||||
|
||||
# Check client_secret
|
||||
unless ( $client_secret eq $self->{oidcRPMetaDataOptions}->{$rp}
|
||||
->{oidcRPMetaDataOptionsClientSecret} )
|
||||
{
|
||||
$self->lmLog( "Wrong credentials", "error" );
|
||||
$self->returnJSONError("access_denied");
|
||||
$self->quit;
|
||||
}
|
||||
|
||||
# Get code session
|
||||
my $code = $self->param('code');
|
||||
@ -130,15 +165,15 @@ sub issuerForUnAuthUser {
|
||||
|
||||
# Create id_token
|
||||
my $id_token_payload_hash = {
|
||||
iss => $issuer, # Issuer Identifier
|
||||
sub => $user_id, # Subject Identifier
|
||||
aud => "dummy", # client_id TODO
|
||||
exp => "3600", # expiration TODO
|
||||
iat => time, # Issued time
|
||||
auth_time => time # Authentication time TODO
|
||||
# TODO acr
|
||||
# TODO amr
|
||||
# TODO azp
|
||||
iss => $issuer, # Issuer Identifier
|
||||
sub => $user_id, # Subject Identifier
|
||||
aud => $client_id, # Audience
|
||||
exp => "3600", # expiration TODO
|
||||
iat => time, # Issued time
|
||||
auth_time => time # Authentication time TODO
|
||||
# TODO acr
|
||||
# TODO amr
|
||||
# TODO azp
|
||||
};
|
||||
|
||||
# JSON and base64
|
||||
@ -256,7 +291,7 @@ sub issuerForAuthUser {
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Cient id "
|
||||
"Client id "
|
||||
. $oidc_request->{'client_id'}
|
||||
. " match RP $rp",
|
||||
'debug'
|
||||
|
@ -721,7 +721,7 @@ sub returnJSONError {
|
||||
print encode_json( { "error" => "$error" } );
|
||||
}
|
||||
|
||||
## @method coid returnJSON(String content);
|
||||
## @method void returnJSON(String content);
|
||||
# Print JSON content
|
||||
# @param content Message
|
||||
# @return void
|
||||
@ -731,6 +731,26 @@ sub returnJSON {
|
||||
print $self->header('application/json');
|
||||
print encode_json($content);
|
||||
}
|
||||
## @method array getEndPointAuthenticationCredentials()
|
||||
# Get Client ID and Client Secret
|
||||
# @return array (client_id, client_secret)
|
||||
sub getEndPointAuthenticationCredentials {
|
||||
my $self = shift;
|
||||
my ( $client_id, $client_secret );
|
||||
|
||||
my $authorization = $ENV{HTTP_AUTHORIZATION};
|
||||
if ( $authorization =~ /^Basic (\w+)/i ) {
|
||||
$self->lmLog( "Method client_secret_basic used", 'debug' );
|
||||
( $client_id, $client_secret ) = split( /:/, decode_base64($1) );
|
||||
}
|
||||
elsif ( $self->param('client_id') && $self->param('client_secret') ) {
|
||||
$self->lmLog( "Method client_secret_post used", 'debug' );
|
||||
$client_id = $self->param('client_id');
|
||||
$client_secret = $self->param('client_secret');
|
||||
}
|
||||
|
||||
return ( $client_id, $client_secret );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
@ -821,6 +841,10 @@ Print JSON error
|
||||
|
||||
Print JSON content
|
||||
|
||||
=head2 getEndPointAuthenticationCredentials
|
||||
|
||||
Get Client ID and Client Secret
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>
|
||||
|
Loading…
Reference in New Issue
Block a user