dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check redirect_uri (#184)

Browse Source
This commit is contained in:
Clément Oudot 2015-03-30 12:58:56 +00:00
parent 798ade94a8
commit b14ec43a88
3 changed files with 87 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
View File

@ -316,8 +316,9 @@ sub cstruct {
%$h, %$h,
oidcRPMetaDataNode => { oidcRPMetaDataNode => {
$k2 => { $k2 => {
_nodes => _nodes => [
[qw(oidcRPMetaDataExportedVars oidcRPMetaDataOptions)], qw(oidcRPMetaDataExportedVars oidcRPMetaDataOptions)
],
oidcRPMetaDataExportedVars => { oidcRPMetaDataExportedVars => {
_nodes => _nodes =>
["hash:/oidcRPMetaDataExportedVars/$k2:vars:btext"], ["hash:/oidcRPMetaDataExportedVars/$k2:vars:btext"],
@ -325,24 +326,36 @@ sub cstruct {
}, },
oidcRPMetaDataOptions => { oidcRPMetaDataOptions => {
_nodes => [ _nodes => [
qw(oidcRPMetaDataOptionsClientID oidcRPMetaDataOptionsClientSecret oidcRPMetaDataOptionsUserIDAttr oidcRPMetaDataOptionsDisplayName oidcRPMetaDataOptionsIcon oidcRPMetaDataOptionsIDTokenSignAlg oidcRPMetaDataOptionsIDTokenExpiration oidcRPMetaDataOptionsAccessTokenExpiration) qw(oidcRPMetaDataOptionsAuthentication oidcRPMetaDataOptionsDisplay oidcRPMetaDataOptionsUserIDAttr oidcRPMetaDataOptionsIDTokenSignAlg oidcRPMetaDataOptionsIDTokenExpiration oidcRPMetaDataOptionsAccessTokenExpiration oidcRPMetaDataOptionsRedirectUris)
],
oidcRPMetaDataOptionsAuthentication => {
_nodes => [
qw(oidcRPMetaDataOptionsClientID oidcRPMetaDataOptionsClientSecret)
], ],
oidcRPMetaDataOptionsClientID => oidcRPMetaDataOptionsClientID =>
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientID", "text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientID",
oidcRPMetaDataOptionsClientSecret => oidcRPMetaDataOptionsClientSecret =>
"password:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientSecret", "password:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientSecret",
oidcRPMetaDataOptionsUserIDAttr => },
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsUserIDAttr", oidcRPMetaDataOptionsDisplay => {
_nodes => [
qw(oidcRPMetaDataOptionsDisplayName oidcRPMetaDataOptionsIcon)
],
oidcRPMetaDataOptionsDisplayName => oidcRPMetaDataOptionsDisplayName =>
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsDisplayName", "text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsDisplayName",
oidcRPMetaDataOptionsIcon => oidcRPMetaDataOptionsIcon =>
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIcon", "text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIcon",
},
oidcRPMetaDataOptionsUserIDAttr =>
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsUserIDAttr",
oidcRPMetaDataOptionsIDTokenSignAlg => oidcRPMetaDataOptionsIDTokenSignAlg =>
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIDTokenSignAlg", "text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIDTokenSignAlg",
oidcRPMetaDataOptionsIDTokenExpiration => oidcRPMetaDataOptionsIDTokenExpiration =>
"int:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIDTokenExpiration", "int:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIDTokenExpiration",
oidcRPMetaDataOptionsAccessTokenExpiration => oidcRPMetaDataOptionsAccessTokenExpiration =>
"int:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsAccessTokenExpiration", "int:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsAccessTokenExpiration",
oidcRPMetaDataOptionsRedirectUris =>
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsRedirectUris",
}, },
}, },
}, },
@ -1603,7 +1616,7 @@ sub struct {
oidcServiceMetaDataSecurity => { oidcServiceMetaDataSecurity => {
_nodes => _nodes =>
[ qw(oidcServicePrivateKeySig oidcServicePublicKeySig) ], [qw(oidcServicePrivateKeySig oidcServicePublicKeySig)],
oidcServicePrivateKeySig => oidcServicePrivateKeySig =>
'filearea:/oidcServicePrivateKeySig', 'filearea:/oidcServicePrivateKeySig',
oidcServicePublicKeySig => 'filearea:/oidcServicePublicKeySig', oidcServicePublicKeySig => 'filearea:/oidcServicePublicKeySig',

6
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
View File

@ -290,12 +290,15 @@ sub en {
oidcRPMetaDataNode => 'OpenID Connect Relying Parties', oidcRPMetaDataNode => 'OpenID Connect Relying Parties',
oidcRPMetaDataOptions => 'Options', oidcRPMetaDataOptions => 'Options',
oidcRPMetaDataOptionsAccessTokenExpiration => 'Access Token expiration', oidcRPMetaDataOptionsAccessTokenExpiration => 'Access Token expiration',
oidcRPMetaDataOptionsAuthentication => 'Authentication',
oidcRPMetaDataOptionsClientID => 'Client ID', oidcRPMetaDataOptionsClientID => 'Client ID',
oidcRPMetaDataOptionsClientSecret => 'Client secret', oidcRPMetaDataOptionsClientSecret => 'Client secret',
oidcRPMetaDataOptionsDisplay => 'Display',
oidcRPMetaDataOptionsDisplayName => 'Display name', oidcRPMetaDataOptionsDisplayName => 'Display name',
oidcRPMetaDataOptionsIcon => 'Logo', oidcRPMetaDataOptionsIcon => 'Logo',
oidcRPMetaDataOptionsIDTokenExpiration => 'ID Token expiration', oidcRPMetaDataOptionsIDTokenExpiration => 'ID Token expiration',
oidcRPMetaDataOptionsIDTokenSignAlg => 'ID Token signature algorithm', oidcRPMetaDataOptionsIDTokenSignAlg => 'ID Token signature algorithm',
oidcRPMetaDataOptionsRedirectUris => 'Redirection addresses',
oidcRPMetaDataOptionsUserIDAttr => 'User ID attribute', oidcRPMetaDataOptionsUserIDAttr => 'User ID attribute',
oidcRPStateTimeout => 'State session timeout', oidcRPStateTimeout => 'State session timeout',
oidcServiceMetaData => 'OpenID Connect Service', oidcServiceMetaData => 'OpenID Connect Service',
@ -851,14 +854,17 @@ sub fr {
oidcRPMetaDataOptions => 'Options', oidcRPMetaDataOptions => 'Options',
oidcRPMetaDataOptionsAccessTokenExpiration => oidcRPMetaDataOptionsAccessTokenExpiration =>
"Expiration des jetons d'accès", "Expiration des jetons d'accès",
oidcRPMetaDataOptionsAuthentication => 'Authentification',
oidcRPMetaDataOptionsClientID => 'Identifiant', oidcRPMetaDataOptionsClientID => 'Identifiant',
oidcRPMetaDataOptionsClientSecret => 'Mot de passe', oidcRPMetaDataOptionsClientSecret => 'Mot de passe',
oidcRPMetaDataOptionsDisplay => 'Affichage',
oidcRPMetaDataOptionsDisplayName => 'Nom d\'affichage', oidcRPMetaDataOptionsDisplayName => 'Nom d\'affichage',
oidcRPMetaDataOptionsIcon => 'Logo', oidcRPMetaDataOptionsIcon => 'Logo',
oidcRPMetaDataOptionsIDTokenExpiration => oidcRPMetaDataOptionsIDTokenExpiration =>
"Expiration des jetons d'identité", "Expiration des jetons d'identité",
oidcRPMetaDataOptionsIDTokenSignAlg => oidcRPMetaDataOptionsIDTokenSignAlg =>
"Algorithme de signature des jetons d'identité", "Algorithme de signature des jetons d'identité",
oidcRPMetaDataOptionsRedirectUris => 'Adresses de redirection',
oidcRPMetaDataOptionsUserIDAttr => "Attribut de l'identifiant", oidcRPMetaDataOptionsUserIDAttr => "Attribut de l'identifiant",
oidcRPStateTimeout => 'Durée d\'une session state', oidcRPStateTimeout => 'Durée d\'une session state',
oidcServiceMetaData => "Service OpenID Connect", oidcServiceMetaData => "Service OpenID Connect",

24
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
View File

@ -521,6 +521,30 @@ sub issuerForAuthUser {
$self->lmLog( "Client id $client_id match RP $rp", 'debug' ); $self->lmLog( "Client id $client_id match RP $rp", 'debug' );
} }
# Check redirect_uri
my $redirect_uri = $oidc_request->{'redirect_uri'};
my $redirect_uris = $self->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsRedirectUris};
if ($redirect_uris) {
my $redirect_uri_allowed = 0;
foreach ( split( /\s+/, $redirect_uris ) ) {
$redirect_uri_allowed = 1 if $redirect_uri eq $_;
}
unless ($redirect_uri_allowed) {
$self->lmLog( "Redirect URI $redirect_uri not allowed",
'error' );
$self->returnRedirectError(
$oidc_request->{'redirect_uri'},
"invalid_request",
"redirect_uri $redirect_uri not allowed",
undef,
$oidc_request->{'state'},
( $flow ne "authorizationcode" )
);
}
}
# Check id_token_hint # Check id_token_hint
my $id_token_hint = $oidc_request->{'id_token_hint'}; my $id_token_hint = $oidc_request->{'id_token_hint'};
if ($id_token_hint) { if ($id_token_hint) {