Commit 4fc1f6af authored by Yadd's avatar Yadd
Browse files

OIDC metadata (#595)

parent 29494591
package Lemonldap::NG::Portal::Issuer::OpenIDConnect; package Lemonldap::NG::Portal::Issuer::OpenIDConnect;
use strict; use strict;
use JSON;
use Mouse; use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw( use Lemonldap::NG::Portal::Main::Constants qw(
PE_CONFIRM PE_CONFIRM
...@@ -28,6 +29,8 @@ extends 'Lemonldap::NG::Portal::Main::Issuer', ...@@ -28,6 +29,8 @@ extends 'Lemonldap::NG::Portal::Main::Issuer',
# - register : => registration() for unauth users (RP) # - register : => registration() for unauth users (RP)
# #
# Other paths will be handle by run() and return PE_ERROR # Other paths will be handle by run() and return PE_ERROR
#
# .well-known/openid-configuration is handled by metadata()
sub init { sub init {
my ($self) = @_; my ($self) = @_;
...@@ -57,6 +60,16 @@ sub init { ...@@ -57,6 +60,16 @@ sub init {
oidcServiceMetaDataJWKSURI => 'badAuthRequest', oidcServiceMetaDataJWKSURI => 'badAuthRequest',
oidcServiceMetaDataRegistrationURI => 'badAuthRequest', oidcServiceMetaDataRegistrationURI => 'badAuthRequest',
); );
# Metadata (.well-known/openid-configuration)
$self->addUnauthRoute(
'.well-known' => { 'openid-configuration' => 'metadata' },
['GET']
);
$self->addAuthRoute(
'.well-known' => { 'openid-configuration' => 'metadata' },
['GET']
);
return 1; return 1;
} }
...@@ -1262,6 +1275,96 @@ sub addRouteFromConf { ...@@ -1262,6 +1275,96 @@ sub addRouteFromConf {
} }
} }
sub metadata {
my ( $self, $req ) = @_;
my $issuerDBOpenIDConnectPath = $self->conf->{issuerDBOpenIDConnectPath};
my $authorize_uri = $self->conf->{oidcServiceMetaDataAuthorizeURI};
my $token_uri = $self->conf->{oidcServiceMetaDataTokenURI};
my $userinfo_uri = $self->conf->{oidcServiceMetaDataUserInfoURI};
my $jwks_uri = $self->conf->{oidcServiceMetaDataJWKSURI};
my $registration_uri = $self->conf->{oidcServiceMetaDataRegistrationURI};
my $endsession_uri = $self->conf->{oidcServiceMetaDataEndSessionURI};
my $checksession_uri = $self->conf->{oidcServiceMetaDataCheckSessionURI};
my $path = $self->path . '/';
my $issuer = $self->conf->{oidcServiceMetaDataIssuer};
$path = "/" . $path unless ( $issuer =~ /\/$/ );
my $baseUrl = $issuer . $path;
my @acr = keys %{ $self->conf->{oidcServiceMetaDataAuthnContext} };
# Add a slash to path value if issuer has no trailing slash
# Create OpenID configuration hash;
return $self->p->sendJSONresponse(
$req,
{
issuer => $issuer,
# Endpoints
token_endpoint => $baseUrl . $token_uri,
userinfo_endpoint => $baseUrl . $userinfo_uri,
jwks_uri => $baseUrl . $jwks_uri,
authorization_endpoint => $baseUrl . $authorize_uri,
end_session_endpoint => $baseUrl . $endsession_uri,
check_session_iframe => $baseUrl . $checksession_uri,
(
$self->conf->{oidcServiceAllowDynamicRegistration}
? ( registration_endpoint => $baseUrl . $registration_uri )
: ()
),
# Scopes
scopes_supported => [qw/openid profile email address phone/],
response_types_supported => [
"code",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
grant_types_supported => [qw/authorization_code implicit hybrid/],
acr_values_supported => \@acr,
subject_types_supported => ["public"],
token_endpoint_auth_methods_supported =>
[qw/client_secret_post client_secret_basic/],
request_parameter_supported => JSON::true,
request_uri_parameter_supported => JSON::true,
require_request_uri_registration => JSON::false,
# Algorithms
id_token_signing_alg_values_supported =>
[qw/none HS256 HS384 HS512 RS256 RS384 RS512/],
userinfo_signing_alg_values_supported =>
[qw/none HS256 HS384 HS512 RS256 RS384 RS512/],
}
);
# response_modes_supported}
# id_token_encryption_alg_values_supported
# id_token_encryption_enc_values_supported
# userinfo_encryption_alg_values_supported
# userinfo_encryption_enc_values_supported
# request_object_signing_alg_values_supported
# request_object_encryption_alg_values_supported
# request_object_encryption_enc_values_supported
# token_endpoint_auth_signing_alg_values_supported
# display_values_supported
# claim_types_supported
# RECOMMENDED # claims_supported
# service_documentation
# claims_locales_supported
# ui_locales_supported
# claims_parameter_supported
# op_policy_uri
# op_tos_uri
}
1; 1;
__END__ __END__
......
...@@ -15,6 +15,14 @@ my %handlerOR = ( issuer => [], sp => [] ); ...@@ -15,6 +15,14 @@ my %handlerOR = ( issuer => [], sp => [] );
ok( $issuer = issuer(), 'Issuer portal' ); ok( $issuer = issuer(), 'Issuer portal' );
count(1); count(1);
ok($res=$issuer->_get('/oauth2/jwks'),'Get JWKS');
count(1);
ok($res=$issuer->_get('/.well-known/openid-configuration'),'Get metadata');
count(1);
print STDERR Dumper($res);
clean_sessions(); clean_sessions();
done_testing( count() ); done_testing( count() );
...@@ -71,9 +79,45 @@ sub issuer { ...@@ -71,9 +79,45 @@ sub issuer {
'loa-3' => 3 'loa-3' => 3
}, },
oidcServicePrivateKeySig => oidcServicePrivateKeySig =>
"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt\nGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb\nABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr\n8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdykX5rx0h5SslG3jVWYhZ/SOb2aIzO\nr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO8093X5VVk9vaPRg0zxJQ0Do0YLyzkR\nisSAIFb0tdKuDnjRGK6y/N2j6At2HjkxntbtGQIDAQABAoIBADYq6LxJd977LWy3\n0HT9nboFPIf+SM2qSEc/S5Po+6ipJBA4ZlZCMf7dHa6znet1TDpqA9iQ4YcqIHMH\n6xZNQ7hhgSAzG9TrXBHqP+djDlrrGWotvjuy0IfS9ixFnnLWjrtAH9afRWLuG+a/\nNHNC1M6DiiTE0TzL/lpt/zzut3CNmWzH+t19X6UsxUg95AzooEeewEYkv25eumWD\nmfQZfCtSlIw1sp/QwxeJa/6LJw7KcPZ1wXUm1BN0b9eiKt9Cmni1MS7elgpZlgGt\nxtfGTZtNLQ7bgDiM8MHzUfPBhbceNSIx2BeCuOCs/7eaqgpyYHBbAbuBQex2H61l\nLcc3Tz0CgYEA4Kx/avpCPxnvsJ+nHVQm5d/WERuDxk4vH1DNuCYBvXTdVCGADf6a\nF5No1JcTH3nPTyPWazOyGdT9LcsEJicLyD8vCM6hBFstG4XjqcAuqG/9DRsElpHQ\nyi1zc5DNP7Vxmiz9wII0Mjy0abYKtxnXh9YK4a9g6wrcTpvShhIcIb8CgYEAzGzG\nlorVCfX9jXULIznnR/uuP5aSnTEsn0xJeqTlbW0RFWLdj8aIL1peirh1X89HroB9\nGeTNqEJXD+3CVL2cx+BRggMDUmEz4hR59meZCDGUyT5fex4LIsceb/ESUl2jo6Sw\nHXwWbN67rQ55N4oiOcOppsGxzOHkl5HdExKidycCgYEAr5Qev2tz+fw65LzfzHvH\nKj4S/KuT/5V6He731cFd+sEpdmX3vPgLVAFPG1Q1DZQT/rTzDDQKK0XX1cGiLG63\nNnaqOye/jbfzOF8Z277kt51NFMDYhRLPKDD82IOA4xjY/rPKWndmcxwdob8yAIWh\nefY76sMz6ntCT+xWSZA9i+ECgYBWMZM2TIlxLsBfEbfFfZewOUWKWEGvd9l5vV/K\nD5cRIYivfMUw5yPq2267jPUolayCvniBH4E7beVpuPVUZ7KgcEvNxtlytbt7muil\n5Z6X3tf+VodJ0Swe2NhTmNEB26uwxzLe68BE3VFCsbSYn2y48HAq+MawPZr18bHG\nZfgMxwKBgHHRg6HYqF5Pegzk1746uH2G+OoCovk5ylGGYzcH2ghWTK4agCHfBcDt\nEYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy\nPAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl\n-----END RSA PRIVATE KEY-----\n", "-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt
GMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb
ABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr
8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdykX5rx0h5SslG3jVWYhZ/SOb2aIzO
r0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO8093X5VVk9vaPRg0zxJQ0Do0YLyzkR
isSAIFb0tdKuDnjRGK6y/N2j6At2HjkxntbtGQIDAQABAoIBADYq6LxJd977LWy3
0HT9nboFPIf+SM2qSEc/S5Po+6ipJBA4ZlZCMf7dHa6znet1TDpqA9iQ4YcqIHMH
6xZNQ7hhgSAzG9TrXBHqP+djDlrrGWotvjuy0IfS9ixFnnLWjrtAH9afRWLuG+a/
NHNC1M6DiiTE0TzL/lpt/zzut3CNmWzH+t19X6UsxUg95AzooEeewEYkv25eumWD
mfQZfCtSlIw1sp/QwxeJa/6LJw7KcPZ1wXUm1BN0b9eiKt9Cmni1MS7elgpZlgGt
xtfGTZtNLQ7bgDiM8MHzUfPBhbceNSIx2BeCuOCs/7eaqgpyYHBbAbuBQex2H61l
Lcc3Tz0CgYEA4Kx/avpCPxnvsJ+nHVQm5d/WERuDxk4vH1DNuCYBvXTdVCGADf6a
F5No1JcTH3nPTyPWazOyGdT9LcsEJicLyD8vCM6hBFstG4XjqcAuqG/9DRsElpHQ
yi1zc5DNP7Vxmiz9wII0Mjy0abYKtxnXh9YK4a9g6wrcTpvShhIcIb8CgYEAzGzG
lorVCfX9jXULIznnR/uuP5aSnTEsn0xJeqTlbW0RFWLdj8aIL1peirh1X89HroB9
GeTNqEJXD+3CVL2cx+BRggMDUmEz4hR59meZCDGUyT5fex4LIsceb/ESUl2jo6Sw
HXwWbN67rQ55N4oiOcOppsGxzOHkl5HdExKidycCgYEAr5Qev2tz+fw65LzfzHvH
Kj4S/KuT/5V6He731cFd+sEpdmX3vPgLVAFPG1Q1DZQT/rTzDDQKK0XX1cGiLG63
NnaqOye/jbfzOF8Z277kt51NFMDYhRLPKDD82IOA4xjY/rPKWndmcxwdob8yAIWh
efY76sMz6ntCT+xWSZA9i+ECgYBWMZM2TIlxLsBfEbfFfZewOUWKWEGvd9l5vV/K
D5cRIYivfMUw5yPq2267jPUolayCvniBH4E7beVpuPVUZ7KgcEvNxtlytbt7muil
5Z6X3tf+VodJ0Swe2NhTmNEB26uwxzLe68BE3VFCsbSYn2y48HAq+MawPZr18bHG
ZfgMxwKBgHHRg6HYqF5Pegzk1746uH2G+OoCovk5ylGGYzcH2ghWTK4agCHfBcDt
EYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy
PAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl
-----END RSA PRIVATE KEY-----
",
oidcServicePublicKeySig => oidcServicePublicKeySig =>
"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/\n/5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T\nrH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH\n1caJ8lmiERFj7IvNKqEhzAk0pyDr8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdy\nkX5rx0h5SslG3jVWYhZ/SOb2aIzOr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO80\n93X5VVk9vaPRg0zxJQ0Do0YLyzkRisSAIFb0tdKuDnjRGK6y/N2j6At2Hjkxntbt\nGQIDAQAB\n-----END PUBLIC KEY-----\n", "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/
/5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T
rH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH
1caJ8lmiERFj7IvNKqEhzAk0pyDr8hubveTC39xREujKlsqutpPAFPJ3f2ybVsdy
kX5rx0h5SslG3jVWYhZ/SOb2aIzOr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO80
93X5VVk9vaPRg0zxJQ0Do0YLyzkRisSAIFb0tdKuDnjRGK6y/N2j6At2Hjkxntbt
GQIDAQAB
-----END PUBLIC KEY-----
",
} }
} }
); );
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment