Check token response validity (references #183)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthOpenIDConnect.pm

@@ -101,6 +101,7 @@ sub extractFormInfo {
         my $auth_method =
           $self->{oidcOPMetaDataOptions}->{$op}
           ->{oidcOPMetaDataOptionsTokenEndpointAuthMethod};
+
         my $content =
           $self->getAuthorizationCodeAccessToken( $op, $code, $auth_method );
         return PE_ERROR unless $content;
@@ -113,6 +114,12 @@ sub extractFormInfo {
             return PE_ERROR;
         }
 
+        # Check validity of token response
+        unless ( $self->checkTokenResponseValidity($json) ) {
+            $self->lmLog( "Token response is not valid", 'error' );
+            return PE_ERROR;
+        }
+
         my $access_token = $json->{access_token};
         my $id_token     = $json->{id_token};
 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm

@@ -181,6 +181,30 @@ sub getAuthorizationCodeAccessToken {
     return $response->decoded_content;
 }
 
+## @method boolean checkTokenResponseValidity(HashRef json)
+# Check validity of Token Response
+# @param json JSON HashRef
+# return boolean 1 if the response is valid, 0 else
+sub checkTokenResponseValidity {
+    my ( $self, $json ) = splice @_;
+
+    # token_type MUST be Bearer
+    unless ( $json->{token_type} eq "Bearer" ) {
+        $self->lmLog(
+            "Token type is " . $json->{token_type} . " but must be Bearer",
+            'error' );
+        return 0;
+    }
+
+    # id_token MUST be present
+    unless ( $json->{id_token} ) {
+        $self->lmLog( "No id_token", 'error' );
+        return 0;
+    }
+
+    return 1;
+}
+
 ## @method String getUserInfo(String op, String access_token)
 # Get UserInfo response
 # @param op OpenIP Provider configuration key
@@ -533,6 +557,10 @@ Build Authentication Request URI for Authorization Code Flow
 
 Get Token response with autorization code
 
+=head2 checkTokenResponseValidity
+
+Check validity of Token Response
+
 =head2 getUserInfo
 
 Get UserInfo response