Commit 0fa5cf26 authored by Clément OUDOT's avatar Clément OUDOT

Use max_age, ui_locales and acr_values (#183)

parent 01aec284
......@@ -37,6 +37,13 @@ has 'oidcOPMetaDataExportedVars' => (
documentation => "Exported vars for an OP",
);
has 'oidcOPMetaDataOptionsAcrValues' => (
is => 'rw',
isa => 'Str|Undef',
default => undef,
documentation => "OIDC OP acr_values",
);
has 'oidcOPMetaDataOptionsCheckJWTSignature' => (
is => 'rw',
isa => 'Bool',
......@@ -93,6 +100,13 @@ has 'oidcOPMetaDataOptionsJWKSTimeout' => (
documentation => "OIDC OP JWKS data refresh interval",
);
has 'oidcOPMetaDataOptionsMaxAge' => (
is => 'rw',
isa => 'Int|Undef',
default => undef,
documentation => "OIDC OP max_age",
);
has 'oidcOPMetaDataOptionsPrompt' => (
is => 'rw',
isa => 'Str|Undef',
......@@ -114,6 +128,13 @@ has 'oidcOPMetaDataOptionsTokenEndpointAuthMethod' => (
documentation => "OIDC OP scope",
);
has 'oidcOPMetaDataOptionsUiLocales' => (
is => 'rw',
isa => 'Str|Undef',
default => undef,
documentation => "OIDC OP ui_locales",
);
has 'oidcRPMetaDataExportedVars' => (
is => 'rw',
isa => 'HashRef',
......
......@@ -287,7 +287,7 @@ sub cstruct {
},
oidcOPMetaDataOptionsProtocol => {
_nodes => [
qw(oidcOPMetaDataOptionsScope oidcOPMetaDataOptionsDisplay oidcOPMetaDataOptionsPrompt oidcOPMetaDataOptionsTokenEndpointAuthMethod oidcOPMetaDataOptionsCheckJWTSignature)
qw(oidcOPMetaDataOptionsScope oidcOPMetaDataOptionsDisplay oidcOPMetaDataOptionsPrompt oidcOPMetaDataOptionsMaxAge oidcOPMetaDataOptionsUiLocales oidcOPMetaDataOptionsAcrValues oidcOPMetaDataOptionsTokenEndpointAuthMethod oidcOPMetaDataOptionsCheckJWTSignature)
],
oidcOPMetaDataOptionsScope =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsScope",
......@@ -295,6 +295,12 @@ sub cstruct {
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsDisplay",
oidcOPMetaDataOptionsPrompt =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsPrompt",
oidcOPMetaDataOptionsMaxAge =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsMaxAge",
oidcOPMetaDataOptionsUiLocales =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsUiLocales",
oidcOPMetaDataOptionsAcrValues =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsAcrValues",
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
"text:/oidcOPMetaDataOptions/$k2/oidcOPMetaDataOptionsTokenEndpointAuthMethod",
oidcOPMetaDataOptionsCheckJWTSignature =>
......
......@@ -271,6 +271,7 @@ sub en {
oidcOPMetaDataJWKS => 'JWKS data',
oidcOPMetaDataNode => 'OpenID Connect Providers',
oidcOPMetaDataOptions => 'Options',
oidcOPMetaDataOptionsAcrValues => 'ACR values',
oidcOPMetaDataOptionsCheckJWTSignature => 'Check JWT signature',
oidcOPMetaDataOptionsClientID => 'Client ID',
oidcOPMetaDataOptionsClientSecret => 'Client secret',
......@@ -280,16 +281,18 @@ sub en {
oidcOPMetaDataOptionsDisplayName => 'Display name',
oidcOPMetaDataOptionsIcon => 'Logo',
oidcOPMetaDataOptionsJWKSTimeout => 'JWKS data timeout',
oidcOPMetaDataOptionsMaxAge => 'Max age',
oidcOPMetaDataOptionsPrompt => 'Prompt',
oidcOPMetaDataOptionsProtocol => 'Protocol',
oidcOPMetaDataOptionsScope => 'Scope',
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
'Token endpoint authentication method',
oidcParams => 'OpenID Connect parameters',
oidcRPCallbackGetParam => 'Callback GET parameter',
oidcRPMetaDataExportedVars => 'Exported attributes',
oidcRPMetaDataNode => 'OpenID Connect Relying Parties',
oidcRPMetaDataOptions => 'Options',
oidcOPMetaDataOptionsUiLocales => 'UI locales',
oidcParams => 'OpenID Connect parameters',
oidcRPCallbackGetParam => 'Callback GET parameter',
oidcRPMetaDataExportedVars => 'Exported attributes',
oidcRPMetaDataNode => 'OpenID Connect Relying Parties',
oidcRPMetaDataOptions => 'Options',
oidcRPMetaDataOptionsAccessTokenExpiration => 'Access Token expiration',
oidcRPMetaDataOptionsAuthentication => 'Authentication',
oidcRPMetaDataOptionsClientID => 'Client ID',
......@@ -835,6 +838,7 @@ sub fr {
oidcOPMetaDataJWKS => 'Données JWKS',
oidcOPMetaDataNode => 'Fournisseurs OpenID Connect',
oidcOPMetaDataOptions => 'Options',
oidcOPMetaDataOptionsAcrValues => 'Valeurs ACR',
oidcOPMetaDataOptionsCheckJWTSignature =>
'Vérifier la signature des jetons',
oidcOPMetaDataOptionsClientID => 'Identifiant',
......@@ -845,16 +849,18 @@ sub fr {
oidcOPMetaDataOptionsDisplayName => 'Nom d\'affichage',
oidcOPMetaDataOptionsIcon => 'Logo',
oidcOPMetaDataOptionsJWKSTimeout => 'Durée de vie des données JWKS',
oidcOPMetaDataOptionsMaxAge => 'Âge maximum',
oidcOPMetaDataOptionsPrompt => 'Interaction',
oidcOPMetaDataOptionsProtocol => 'Protocole',
oidcOPMetaDataOptionsScope => 'Étendue',
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
'Méthode d\'authentification pour l\'accès aux jetons',
oidcParams => 'Paramètres OpenID Connect',
oidcRPCallbackGetParam => 'Paramètre GET callback',
oidcRPMetaDataExportedVars => 'Attributs exportés',
oidcRPMetaDataNode => 'Relais OpenID Connect',
oidcRPMetaDataOptions => 'Options',
oidcOPMetaDataOptionsUiLocales => 'Locales UI',
oidcParams => 'Paramètres OpenID Connect',
oidcRPCallbackGetParam => 'Paramètre GET callback',
oidcRPMetaDataExportedVars => 'Attributs exportés',
oidcRPMetaDataNode => 'Relais OpenID Connect',
oidcRPMetaDataOptions => 'Options',
oidcRPMetaDataOptionsAccessTokenExpiration =>
"Expiration des jetons d'accès",
oidcRPMetaDataOptionsAuthentication => 'Authentification',
......
......@@ -237,6 +237,12 @@ sub buildAuthorizationCodeAuthnRequest {
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsDisplay};
my $prompt =
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsPrompt};
my $max_age =
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsMaxAge};
my $ui_locales =
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsUiLocales};
my $acr_values =
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsAcrValues};
$client_id = uri_escape($client_id);
$scope = uri_escape($scope);
......@@ -246,6 +252,9 @@ sub buildAuthorizationCodeAuthnRequest {
$nonce = uri_escape($nonce);
$display = uri_escape($display) if defined $display;
$prompt = uri_escape($prompt) if defined $prompt;
$max_age = uri_escape($max_age) if defined $max_age;
$ui_locales = uri_escape($ui_locales) if defined $ui_locales;
$acr_values = uri_escape($acr_values) if defined $acr_values;
my $authn_uri = $authorize_uri;
$authn_uri .= ( $authorize_uri =~ /\?/ ? '&' : '?' );
......@@ -253,10 +262,13 @@ sub buildAuthorizationCodeAuthnRequest {
$authn_uri .= "&client_id=$client_id";
$authn_uri .= "&scope=$scope";
$authn_uri .= "&redirect_uri=$redirect_uri";
$authn_uri .= "&state=$state" if defined $state;
$authn_uri .= "&nonce=$nonce" if defined $nonce;
$authn_uri .= "&display=$display" if defined $display;
$authn_uri .= "&prompt=$prompt" if defined $prompt;
$authn_uri .= "&state=$state" if defined $state;
$authn_uri .= "&nonce=$nonce" if defined $nonce;
$authn_uri .= "&display=$display" if defined $display;
$authn_uri .= "&prompt=$prompt" if defined $prompt;
$authn_uri .= "&max_age=$max_age" if defined $max_age;
$authn_uri .= "&ui_locales=$ui_locales" if defined $ui_locales;
$authn_uri .= "&acr_values=$acr_values" if defined $acr_values;
$self->lmLog(
"OpenIDConnect Authorization Code Flow Authn Request: $authn_uri",
......@@ -451,6 +463,10 @@ sub checkIDTokenValidity {
my $client_id =
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsClientID};
my $acr_values =
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsAcrValues};
my $max_age =
$self->{oidcOPMetaDataOptions}->{$op}->{oidcOPMetaDataOptionsMaxAge};
# Check issuer
unless ( $id_token->{iss} eq $self->{_oidcOPList}->{$op}->{conf}->{issuer} )
......@@ -470,7 +486,7 @@ sub checkIDTokenValidity {
if ( $#audience > 1 ) {
unless ( $id_token->{azp} eq $client_id ) {
$self->lmLog(
"More than one audiance, and azp not equal to client ID",
"More than one audience, and azp not equal to client ID",
'error' );
return 0;
}
......@@ -510,9 +526,36 @@ sub checkIDTokenValidity {
}
# TODO check acr
# Check acr
my $acr = $id_token->{acr};
if ( defined $acr_values ) {
unless ($acr) {
$self->lmLog( "ACR was not returned by OP $op", 'error' );
return 0;
}
unless ( $acr_values =~ /\b$acr\b/i ) {
$self->lmLog(
"ACR $acr not listed in request ACR values ($acr_values)",
'error' );
return 0;
}
}
# TODO check auth_time
# Check auth_time
my $auth_time = $id_token->{auth_time};
if ( defined $max_age ) {
unless ($auth_time) {
$self->lmLog( "Auth time was not returned by OP $op", 'error' );
return 0;
}
if ( $auth_time + $max_age > time ) {
$self->lmLog(
"Authentication time ($auth_time) is too old (Max age: $max_age)",
'error'
);
return 0;
}
}
return 1;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment