Check redirect_uri (#184)
This commit is contained in:
parent
798ade94a8
commit
b14ec43a88
@ -316,8 +316,9 @@ sub cstruct {
|
|||||||
%$h,
|
%$h,
|
||||||
oidcRPMetaDataNode => {
|
oidcRPMetaDataNode => {
|
||||||
$k2 => {
|
$k2 => {
|
||||||
_nodes =>
|
_nodes => [
|
||||||
[qw(oidcRPMetaDataExportedVars oidcRPMetaDataOptions)],
|
qw(oidcRPMetaDataExportedVars oidcRPMetaDataOptions)
|
||||||
|
],
|
||||||
oidcRPMetaDataExportedVars => {
|
oidcRPMetaDataExportedVars => {
|
||||||
_nodes =>
|
_nodes =>
|
||||||
["hash:/oidcRPMetaDataExportedVars/$k2:vars:btext"],
|
["hash:/oidcRPMetaDataExportedVars/$k2:vars:btext"],
|
||||||
@ -325,24 +326,36 @@ sub cstruct {
|
|||||||
},
|
},
|
||||||
oidcRPMetaDataOptions => {
|
oidcRPMetaDataOptions => {
|
||||||
_nodes => [
|
_nodes => [
|
||||||
qw(oidcRPMetaDataOptionsClientID oidcRPMetaDataOptionsClientSecret oidcRPMetaDataOptionsUserIDAttr oidcRPMetaDataOptionsDisplayName oidcRPMetaDataOptionsIcon oidcRPMetaDataOptionsIDTokenSignAlg oidcRPMetaDataOptionsIDTokenExpiration oidcRPMetaDataOptionsAccessTokenExpiration)
|
qw(oidcRPMetaDataOptionsAuthentication oidcRPMetaDataOptionsDisplay oidcRPMetaDataOptionsUserIDAttr oidcRPMetaDataOptionsIDTokenSignAlg oidcRPMetaDataOptionsIDTokenExpiration oidcRPMetaDataOptionsAccessTokenExpiration oidcRPMetaDataOptionsRedirectUris)
|
||||||
|
],
|
||||||
|
oidcRPMetaDataOptionsAuthentication => {
|
||||||
|
_nodes => [
|
||||||
|
qw(oidcRPMetaDataOptionsClientID oidcRPMetaDataOptionsClientSecret)
|
||||||
],
|
],
|
||||||
oidcRPMetaDataOptionsClientID =>
|
oidcRPMetaDataOptionsClientID =>
|
||||||
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientID",
|
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientID",
|
||||||
oidcRPMetaDataOptionsClientSecret =>
|
oidcRPMetaDataOptionsClientSecret =>
|
||||||
"password:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientSecret",
|
"password:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsClientSecret",
|
||||||
oidcRPMetaDataOptionsUserIDAttr =>
|
},
|
||||||
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsUserIDAttr",
|
oidcRPMetaDataOptionsDisplay => {
|
||||||
|
_nodes => [
|
||||||
|
qw(oidcRPMetaDataOptionsDisplayName oidcRPMetaDataOptionsIcon)
|
||||||
|
],
|
||||||
oidcRPMetaDataOptionsDisplayName =>
|
oidcRPMetaDataOptionsDisplayName =>
|
||||||
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsDisplayName",
|
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsDisplayName",
|
||||||
oidcRPMetaDataOptionsIcon =>
|
oidcRPMetaDataOptionsIcon =>
|
||||||
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIcon",
|
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIcon",
|
||||||
|
},
|
||||||
|
oidcRPMetaDataOptionsUserIDAttr =>
|
||||||
|
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsUserIDAttr",
|
||||||
oidcRPMetaDataOptionsIDTokenSignAlg =>
|
oidcRPMetaDataOptionsIDTokenSignAlg =>
|
||||||
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIDTokenSignAlg",
|
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIDTokenSignAlg",
|
||||||
oidcRPMetaDataOptionsIDTokenExpiration =>
|
oidcRPMetaDataOptionsIDTokenExpiration =>
|
||||||
"int:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIDTokenExpiration",
|
"int:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsIDTokenExpiration",
|
||||||
oidcRPMetaDataOptionsAccessTokenExpiration =>
|
oidcRPMetaDataOptionsAccessTokenExpiration =>
|
||||||
"int:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsAccessTokenExpiration",
|
"int:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsAccessTokenExpiration",
|
||||||
|
oidcRPMetaDataOptionsRedirectUris =>
|
||||||
|
"text:/oidcRPMetaDataOptions/$k2/oidcRPMetaDataOptionsRedirectUris",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -1603,7 +1616,7 @@ sub struct {
|
|||||||
|
|
||||||
oidcServiceMetaDataSecurity => {
|
oidcServiceMetaDataSecurity => {
|
||||||
_nodes =>
|
_nodes =>
|
||||||
[ qw(oidcServicePrivateKeySig oidcServicePublicKeySig) ],
|
[qw(oidcServicePrivateKeySig oidcServicePublicKeySig)],
|
||||||
oidcServicePrivateKeySig =>
|
oidcServicePrivateKeySig =>
|
||||||
'filearea:/oidcServicePrivateKeySig',
|
'filearea:/oidcServicePrivateKeySig',
|
||||||
oidcServicePublicKeySig => 'filearea:/oidcServicePublicKeySig',
|
oidcServicePublicKeySig => 'filearea:/oidcServicePublicKeySig',
|
||||||
|
@ -290,12 +290,15 @@ sub en {
|
|||||||
oidcRPMetaDataNode => 'OpenID Connect Relying Parties',
|
oidcRPMetaDataNode => 'OpenID Connect Relying Parties',
|
||||||
oidcRPMetaDataOptions => 'Options',
|
oidcRPMetaDataOptions => 'Options',
|
||||||
oidcRPMetaDataOptionsAccessTokenExpiration => 'Access Token expiration',
|
oidcRPMetaDataOptionsAccessTokenExpiration => 'Access Token expiration',
|
||||||
|
oidcRPMetaDataOptionsAuthentication => 'Authentication',
|
||||||
oidcRPMetaDataOptionsClientID => 'Client ID',
|
oidcRPMetaDataOptionsClientID => 'Client ID',
|
||||||
oidcRPMetaDataOptionsClientSecret => 'Client secret',
|
oidcRPMetaDataOptionsClientSecret => 'Client secret',
|
||||||
|
oidcRPMetaDataOptionsDisplay => 'Display',
|
||||||
oidcRPMetaDataOptionsDisplayName => 'Display name',
|
oidcRPMetaDataOptionsDisplayName => 'Display name',
|
||||||
oidcRPMetaDataOptionsIcon => 'Logo',
|
oidcRPMetaDataOptionsIcon => 'Logo',
|
||||||
oidcRPMetaDataOptionsIDTokenExpiration => 'ID Token expiration',
|
oidcRPMetaDataOptionsIDTokenExpiration => 'ID Token expiration',
|
||||||
oidcRPMetaDataOptionsIDTokenSignAlg => 'ID Token signature algorithm',
|
oidcRPMetaDataOptionsIDTokenSignAlg => 'ID Token signature algorithm',
|
||||||
|
oidcRPMetaDataOptionsRedirectUris => 'Redirection addresses',
|
||||||
oidcRPMetaDataOptionsUserIDAttr => 'User ID attribute',
|
oidcRPMetaDataOptionsUserIDAttr => 'User ID attribute',
|
||||||
oidcRPStateTimeout => 'State session timeout',
|
oidcRPStateTimeout => 'State session timeout',
|
||||||
oidcServiceMetaData => 'OpenID Connect Service',
|
oidcServiceMetaData => 'OpenID Connect Service',
|
||||||
@ -851,14 +854,17 @@ sub fr {
|
|||||||
oidcRPMetaDataOptions => 'Options',
|
oidcRPMetaDataOptions => 'Options',
|
||||||
oidcRPMetaDataOptionsAccessTokenExpiration =>
|
oidcRPMetaDataOptionsAccessTokenExpiration =>
|
||||||
"Expiration des jetons d'accès",
|
"Expiration des jetons d'accès",
|
||||||
|
oidcRPMetaDataOptionsAuthentication => 'Authentification',
|
||||||
oidcRPMetaDataOptionsClientID => 'Identifiant',
|
oidcRPMetaDataOptionsClientID => 'Identifiant',
|
||||||
oidcRPMetaDataOptionsClientSecret => 'Mot de passe',
|
oidcRPMetaDataOptionsClientSecret => 'Mot de passe',
|
||||||
|
oidcRPMetaDataOptionsDisplay => 'Affichage',
|
||||||
oidcRPMetaDataOptionsDisplayName => 'Nom d\'affichage',
|
oidcRPMetaDataOptionsDisplayName => 'Nom d\'affichage',
|
||||||
oidcRPMetaDataOptionsIcon => 'Logo',
|
oidcRPMetaDataOptionsIcon => 'Logo',
|
||||||
oidcRPMetaDataOptionsIDTokenExpiration =>
|
oidcRPMetaDataOptionsIDTokenExpiration =>
|
||||||
"Expiration des jetons d'identité",
|
"Expiration des jetons d'identité",
|
||||||
oidcRPMetaDataOptionsIDTokenSignAlg =>
|
oidcRPMetaDataOptionsIDTokenSignAlg =>
|
||||||
"Algorithme de signature des jetons d'identité",
|
"Algorithme de signature des jetons d'identité",
|
||||||
|
oidcRPMetaDataOptionsRedirectUris => 'Adresses de redirection',
|
||||||
oidcRPMetaDataOptionsUserIDAttr => "Attribut de l'identifiant",
|
oidcRPMetaDataOptionsUserIDAttr => "Attribut de l'identifiant",
|
||||||
oidcRPStateTimeout => 'Durée d\'une session state',
|
oidcRPStateTimeout => 'Durée d\'une session state',
|
||||||
oidcServiceMetaData => "Service OpenID Connect",
|
oidcServiceMetaData => "Service OpenID Connect",
|
||||||
|
@ -521,6 +521,30 @@ sub issuerForAuthUser {
|
|||||||
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
|
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Check redirect_uri
|
||||||
|
my $redirect_uri = $oidc_request->{'redirect_uri'};
|
||||||
|
my $redirect_uris = $self->{oidcRPMetaDataOptions}->{$rp}
|
||||||
|
->{oidcRPMetaDataOptionsRedirectUris};
|
||||||
|
|
||||||
|
if ($redirect_uris) {
|
||||||
|
my $redirect_uri_allowed = 0;
|
||||||
|
foreach ( split( /\s+/, $redirect_uris ) ) {
|
||||||
|
$redirect_uri_allowed = 1 if $redirect_uri eq $_;
|
||||||
|
}
|
||||||
|
unless ($redirect_uri_allowed) {
|
||||||
|
$self->lmLog( "Redirect URI $redirect_uri not allowed",
|
||||||
|
'error' );
|
||||||
|
$self->returnRedirectError(
|
||||||
|
$oidc_request->{'redirect_uri'},
|
||||||
|
"invalid_request",
|
||||||
|
"redirect_uri $redirect_uri not allowed",
|
||||||
|
undef,
|
||||||
|
$oidc_request->{'state'},
|
||||||
|
( $flow ne "authorizationcode" )
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Check id_token_hint
|
# Check id_token_hint
|
||||||
my $id_token_hint = $oidc_request->{'id_token_hint'};
|
my $id_token_hint = $oidc_request->{'id_token_hint'};
|
||||||
if ($id_token_hint) {
|
if ($id_token_hint) {
|
||||||
|
Loading…
Reference in New Issue
Block a user