Commit 85650ae3 authored by Clément OUDOT's avatar Clément OUDOT

Start implementation of OIDC logout (#184)

parent 3f741d53
......@@ -760,7 +760,7 @@ has 'oidcServiceMetaDataAuthnContext' => (
'loa-5' => 5
};
},
documentation => 'WebID exported variables',
documentation => 'OpenID Connect Authentication Context Class Ref',
);
has 'oidcServiceMetaDataAuthorizeURI' => (
......@@ -770,6 +770,13 @@ has 'oidcServiceMetaDataAuthorizeURI' => (
documentation => 'OpenID Connect authorizaton endpoint',
);
has 'oidcServiceMetaDataEndSessionURI' => (
is => 'rw',
isa => 'Str',
default => 'logout',
documentation => 'OpenID Connect end session endpoint',
);
has 'oidcServiceMetaDataIssuer' => (
is => 'rw',
isa => 'Str',
......
......@@ -1612,7 +1612,7 @@ sub struct {
oidcServiceMetaDataEndPoints => {
_nodes => [
qw(oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI)
qw(oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI)
],
oidcServiceMetaDataAuthorizeURI =>
......@@ -1625,6 +1625,8 @@ sub struct {
'text:/oidcServiceMetaDataJWKSURI',
oidcServiceMetaDataRegistrationURI =>
'text:/oidcServiceMetaDataRegistrationURI',
oidcServiceMetaDataEndSessionURI =>
'text:/oidcServiceMetaDataEndSessionURI',
},
oidcServiceMetaDataAuthnContext => {
......
......@@ -309,6 +309,7 @@ sub en {
oidcServiceMetaData => 'OpenID Connect Service',
oidcServiceMetaDataAuthorizeURI => 'Autorization',
oidcServiceMetaDataEndPoints => 'End points',
oidcServiceMetaDataEndSessionURI => 'End session',
oidcServiceMetaDataIssuer => 'Issuer identifier',
oidcServiceMetaDataJWKSURI => 'JWKS',
oidcServiceMetaDataRegistrationURI => 'Registration',
......@@ -881,6 +882,7 @@ sub fr {
oidcServiceMetaData => "Service OpenID Connect",
oidcServiceMetaDataAuthorizeURI => "Autorisation",
oidcServiceMetaDataEndPoints => "Points d'accès",
oidcServiceMetaDataEndSessionURI => 'Fin de session',
oidcServiceMetaDataIssuer => "Identifiant du fournisseur",
oidcServiceMetaDataJWKSURI => 'JWKS',
oidcServiceMetaDataRegistrationURI => 'Enregistrement',
......
......@@ -36,6 +36,7 @@ sub issuerForUnAuthUser {
my $userinfo_uri = $self->{oidcServiceMetaDataUserInfoURI};
my $jwks_uri = $self->{oidcServiceMetaDataJWKSURI};
my $registration_uri = $self->{oidcServiceMetaDataRegistrationURI};
my $endsession_uri = $self->{oidcServiceMetaDataEndSessionURI};
my $issuer = $self->{oidcServiceMetaDataIssuer};
# Called URL
......@@ -423,6 +424,40 @@ sub issuerForUnAuthUser {
$self->quit;
}
# END SESSION
if ( $url_path =~ m#${issuerDBOpenIDConnectPath}${endsession_uri}# ) {
$self->lmLog( "URL $url detected as an OpenID Connect END SESSION URL",
'debug' );
# Check that we are in an inactive session
unless ( $self->{id} ) {
$self->lmLog( "User is already logged out", 'debug' );
my $post_logout_redirect_uri =
$self->param('post_logout_redirect_uri');
my $state = $self->param('state');
if ($post_logout_redirect_uri) {
# Build Response
my $response_url =
$self->buildLogoutResponse( $post_logout_redirect_uri,
$state );
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->{'urldc'} = $response_url;
$self->_sub('autoRedirect');
}
return PE_LOGOUT_OK;
}
return PE_OK;
}
PE_OK;
}
......
......@@ -1297,6 +1297,24 @@ sub key2jwks {
return $hash;
}
## @method String buildLogoutResponse(String redirect_uri, String state)
# Build Logout Response URI
# @param redirect_uri Redirect URI
# @param state State
# return String Logout URI
sub buildLogoutResponse {
my ( $self, $redirect_uri, $state ) = splice @_;
my $response_url = $redirect_uri;
if ($state) {
$response_url .= ( $redirect_uri =~ /\?/ ? '&' : '?' );
$response_url .= "state=" . uri_escape($state);
}
return $response_url;
}
1;
__END__
......@@ -1446,6 +1464,10 @@ Return sub field of an ID Token
Return JWKS representation of a key
=head2 buildLogoutResponse
Build Logout Response URI
=head1 SEE ALSO
L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment