Return session state for session management (#184)
This commit is contained in:
parent
d1136112f1
commit
a63918d28f
@ -583,6 +583,9 @@ sub issuerForAuthUser {
|
|||||||
# Disable further reauthentication
|
# Disable further reauthentication
|
||||||
$prompt =~ s/\blogin\b//;
|
$prompt =~ s/\blogin\b//;
|
||||||
$self->setHiddenFormValue( 'prompt', $prompt );
|
$self->setHiddenFormValue( 'prompt', $prompt );
|
||||||
|
|
||||||
|
# Update session_id
|
||||||
|
$session_id = $self->{sessionInfo}->{_session_id} || $self->{id};
|
||||||
}
|
}
|
||||||
|
|
||||||
# Check openid scope
|
# Check openid scope
|
||||||
@ -795,6 +798,10 @@ sub issuerForAuthUser {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Create session_state
|
||||||
|
my $session_state =
|
||||||
|
$self->createSessionState( $session_id, $client_id );
|
||||||
|
|
||||||
# Authorization Code Flow
|
# Authorization Code Flow
|
||||||
if ( $flow eq "authorizationcode" ) {
|
if ( $flow eq "authorizationcode" ) {
|
||||||
|
|
||||||
@ -816,10 +823,11 @@ sub issuerForAuthUser {
|
|||||||
);
|
);
|
||||||
|
|
||||||
# Build Response
|
# Build Response
|
||||||
my $response_url =
|
my $response_url = $self->buildAuthorizationCodeAuthnResponse(
|
||||||
$self->buildAuthorizationCodeAuthnResponse(
|
|
||||||
$oidc_request->{'redirect_uri'},
|
$oidc_request->{'redirect_uri'},
|
||||||
$code, $oidc_request->{'state'} );
|
$code, $oidc_request->{'state'},
|
||||||
|
$session_state
|
||||||
|
);
|
||||||
|
|
||||||
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
||||||
$self->{'urldc'} = $response_url;
|
$self->{'urldc'} = $response_url;
|
||||||
@ -916,11 +924,11 @@ sub issuerForAuthUser {
|
|||||||
->{oidcRPMetaDataOptionsAccessTokenExpiration};
|
->{oidcRPMetaDataOptionsAccessTokenExpiration};
|
||||||
|
|
||||||
# Build Response
|
# Build Response
|
||||||
my $response_url =
|
my $response_url = $self->buildImplicitAuthnResponse(
|
||||||
$self->buildImplicitAuthnResponse(
|
|
||||||
$oidc_request->{'redirect_uri'},
|
$oidc_request->{'redirect_uri'},
|
||||||
$access_token, $id_token, $expires_in,
|
$access_token, $id_token, $expires_in, $oidc_request->{'state'},
|
||||||
$oidc_request->{'state'} );
|
$session_state
|
||||||
|
);
|
||||||
|
|
||||||
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
||||||
$self->{'urldc'} = $response_url;
|
$self->{'urldc'} = $response_url;
|
||||||
@ -1037,10 +1045,12 @@ sub issuerForAuthUser {
|
|||||||
->{oidcRPMetaDataOptionsAccessTokenExpiration};
|
->{oidcRPMetaDataOptionsAccessTokenExpiration};
|
||||||
|
|
||||||
# Build Response
|
# Build Response
|
||||||
my $response_url =
|
my $response_url = $self->buildHybridAuthnResponse(
|
||||||
$self->buildHybridAuthnResponse( $oidc_request->{'redirect_uri'},
|
$oidc_request->{'redirect_uri'},
|
||||||
$code, $access_token, $id_token, $expires_in,
|
$code, $access_token, $id_token, $expires_in,
|
||||||
$oidc_request->{'state'} );
|
$oidc_request->{'state'},
|
||||||
|
$session_state
|
||||||
|
);
|
||||||
|
|
||||||
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
||||||
$self->{'urldc'} = $response_url;
|
$self->{'urldc'} = $response_url;
|
||||||
|
@ -282,14 +282,15 @@ sub buildAuthorizationCodeAuthnRequest {
|
|||||||
return $authn_uri;
|
return $authn_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method String buildAuthorizationCodeAuthnResponse(String redirect_uri, String code, String state)
|
## @method String buildAuthorizationCodeAuthnResponse(String redirect_uri, String code, String state, String session_state)
|
||||||
# Build Authentication Response URI for Authorization Code Flow
|
# Build Authentication Response URI for Authorization Code Flow
|
||||||
# @param redirect_uri Redirect URI
|
# @param redirect_uri Redirect URI
|
||||||
# @param code Code
|
# @param code Code
|
||||||
# @param state State
|
# @param state State
|
||||||
|
# @param session_state Session state
|
||||||
# return String Authentication Response URI
|
# return String Authentication Response URI
|
||||||
sub buildAuthorizationCodeAuthnResponse {
|
sub buildAuthorizationCodeAuthnResponse {
|
||||||
my ( $self, $redirect_uri, $code, $state ) = splice @_;
|
my ( $self, $redirect_uri, $code, $state, $session_state ) = splice @_;
|
||||||
|
|
||||||
my $response_url = $redirect_uri;
|
my $response_url = $redirect_uri;
|
||||||
|
|
||||||
@ -301,19 +302,25 @@ sub buildAuthorizationCodeAuthnResponse {
|
|||||||
$response_url .= "&state=" . uri_escape($state);
|
$response_url .= "&state=" . uri_escape($state);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($session_state) {
|
||||||
|
$response_url .= "&session_state=" . uri_escape($session_state);
|
||||||
|
}
|
||||||
|
|
||||||
return $response_url;
|
return $response_url;
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method String buildImplicitAuthnResponse(String redirect_uri, String access_token, String id_token, String expires_in, String state)
|
## @method String buildImplicitAuthnResponse(String redirect_uri, String access_token, String id_token, String expires_in, String state, String session_state)
|
||||||
# Build Authentication Response URI for Implicit Flow
|
# Build Authentication Response URI for Implicit Flow
|
||||||
# @param redirect_uri Redirect URI
|
# @param redirect_uri Redirect URI
|
||||||
# @param access_token Access token
|
# @param access_token Access token
|
||||||
# @param id_token ID token
|
# @param id_token ID token
|
||||||
# @param expires_in Expiration of access token
|
# @param expires_in Expiration of access token
|
||||||
# @param state State
|
# @param state State
|
||||||
|
# @param session_state Session state
|
||||||
# return String Authentication Response URI
|
# return String Authentication Response URI
|
||||||
sub buildImplicitAuthnResponse {
|
sub buildImplicitAuthnResponse {
|
||||||
my ( $self, $redirect_uri, $access_token, $id_token, $expires_in, $state )
|
my ( $self, $redirect_uri, $access_token, $id_token, $expires_in, $state,
|
||||||
|
$session_state )
|
||||||
= splice @_;
|
= splice @_;
|
||||||
|
|
||||||
my $response_url = $redirect_uri;
|
my $response_url = $redirect_uri;
|
||||||
@ -333,10 +340,14 @@ sub buildImplicitAuthnResponse {
|
|||||||
$response_url .= "&state=" . uri_escape($state);
|
$response_url .= "&state=" . uri_escape($state);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($session_state) {
|
||||||
|
$response_url .= "&session_state=" . uri_escape($session_state);
|
||||||
|
}
|
||||||
|
|
||||||
return $response_url;
|
return $response_url;
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method String buildHybridAuthnResponse(String redirect_uri, String code, String access_token, String id_token, String expires_in, String state)
|
## @method String buildHybridAuthnResponse(String redirect_uri, String code, String access_token, String id_token, String expires_in, String state, String session_state)
|
||||||
# Build Authentication Response URI for Hybrid Flow
|
# Build Authentication Response URI for Hybrid Flow
|
||||||
# @param redirect_uri Redirect URI
|
# @param redirect_uri Redirect URI
|
||||||
# @param code Code
|
# @param code Code
|
||||||
@ -344,11 +355,13 @@ sub buildImplicitAuthnResponse {
|
|||||||
# @param id_token ID token
|
# @param id_token ID token
|
||||||
# @param expires_in Expiration of access token
|
# @param expires_in Expiration of access token
|
||||||
# @param state State
|
# @param state State
|
||||||
|
# @param session_state Session state
|
||||||
# return String Authentication Response URI
|
# return String Authentication Response URI
|
||||||
sub buildHybridAuthnResponse {
|
sub buildHybridAuthnResponse {
|
||||||
my ( $self, $redirect_uri, $code, $access_token, $id_token, $expires_in,
|
my (
|
||||||
$state )
|
$self, $redirect_uri, $code, $access_token,
|
||||||
= splice @_;
|
$id_token, $expires_in, $state, $session_state
|
||||||
|
) = splice @_;
|
||||||
|
|
||||||
my $response_url = $redirect_uri;
|
my $response_url = $redirect_uri;
|
||||||
|
|
||||||
@ -371,6 +384,10 @@ sub buildHybridAuthnResponse {
|
|||||||
$response_url .= "&state=" . uri_escape($state);
|
$response_url .= "&state=" . uri_escape($state);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($session_state) {
|
||||||
|
$response_url .= "&session_state=" . uri_escape($session_state);
|
||||||
|
}
|
||||||
|
|
||||||
return $response_url;
|
return $response_url;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1356,6 +1373,22 @@ sub buildLogoutResponse {
|
|||||||
return $response_url;
|
return $response_url;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
## @method String createSessionState(String session_id, String client_id)
|
||||||
|
# Create session_state parameter
|
||||||
|
# @param session_id Session ID
|
||||||
|
# @param client_id CLient ID
|
||||||
|
# return String Session state
|
||||||
|
sub createSessionState {
|
||||||
|
my ( $self, $session_id, $client_id ) = splice @_;
|
||||||
|
|
||||||
|
my $salt = encode_base64url( $self->{cipher}->encrypt($client_id) );
|
||||||
|
my $data = $client_id . " " . $session_id . " " . $salt;
|
||||||
|
|
||||||
|
my $session_state = sha256_base64($data) . "." . $salt;
|
||||||
|
|
||||||
|
return $session_state;
|
||||||
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
||||||
__END__
|
__END__
|
||||||
|
Loading…
Reference in New Issue
Block a user