From fd8c3b1b61374a4245027d658e37e88f718e8728 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Tue, 14 Jun 2022 14:43:33 +0200 Subject: [PATCH] Fix #2708 --- .../Lemonldap/NG/Portal/Auth/OpenIDConnect.pm | 8 ++---- .../Lemonldap/NG/Portal/Lib/OpenIDConnect.pm | 28 +++++++++++++++++-- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm index e21d6b5fb..967747af0 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm @@ -19,9 +19,8 @@ extends qw( # INTERFACE -has opList => ( is => 'rw', default => sub { [] } ); -has opNumber => ( is => 'rw', default => 0 ); -has path => ( is => 'rw', default => 'oauth2' ); +has opList => ( is => 'rw', isa => 'ArrayRef', default => sub { [] } ); +has path => ( is => 'rw', default => 'oauth2' ); use constant sessionKind => 'OIDC'; @@ -36,7 +35,6 @@ sub init { $self->logger->error("No OP configured"); return 0; } - $self->opNumber( scalar @tab ); my @list = (); my $portalPath = $self->conf->{portal}; @@ -242,7 +240,7 @@ sub extractFormInfo { $self->logger->debug("Redirecting user to OP list"); # Auto select provider if there is only one - if ( $self->opNumber == 1 ) { + if ( @{ $self->opList } == 1 ) { $op = $self->opList->[0]->{val}; $self->logger->debug("Selecting the only defined OP: $op"); } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm index 061dc80f2..a46ecf7f2 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm @@ -86,10 +86,16 @@ sub loadOPs { # Extract JSON data foreach ( keys %{ $self->conf->{oidcOPMetaDataJSON} } ) { - $self->oidcOPList->{$_}->{conf} = + my $op_conf = $self->decodeJSON( $self->conf->{oidcOPMetaDataJSON}->{$_} ); - $self->oidcOPList->{$_}->{jwks} = - $self->decodeJSON( $self->conf->{oidcOPMetaDataJWKS}->{$_} ); + if ($op_conf) { + $self->oidcOPList->{$_}->{conf} = $op_conf; + $self->oidcOPList->{$_}->{jwks} = + $self->decodeJSON( $self->conf->{oidcOPMetaDataJWKS}->{$_} ); + } + else { + $self->logger->warn("Could not parse OIDC metadata for $_"); + } } # Set rule @@ -319,6 +325,14 @@ sub buildAuthorizationCodeAuthnRequest { my $authorize_uri = $self->oidcOPList->{$op}->{conf}->{authorization_endpoint}; + + unless ($authorize_uri) { + $self->logger->error( + "Could not build Authorize request: no + 'authorization_endpoint'" . " in JSON metadata for OP $op" + ); + return undef; + } my $client_id = $self->conf->{oidcOPMetaDataOptions}->{$op} ->{oidcOPMetaDataOptionsClientID}; @@ -482,6 +496,14 @@ sub getAuthorizationCodeAccessToken { my $redirect_uri = $self->getCallbackUri($req); my $access_token_uri = $self->oidcOPList->{$op}->{conf}->{token_endpoint}; + unless ($access_token_uri) { + $self->logger->error( + "Could not build Token request: no + 'token_endpoint'" . " in JSON metadata for OP $op" + ); + return 0; + } + my $grant_type = "authorization_code"; unless ( $auth_method =~ /^client_secret_(basic|post)$/o ) {