Commit a63918d2 authored by Clément OUDOT's avatar Clément OUDOT

Return session state for session management (#184)

parent d1136112
......@@ -583,6 +583,9 @@ sub issuerForAuthUser {
# Disable further reauthentication
$prompt =~ s/\blogin\b//;
$self->setHiddenFormValue( 'prompt', $prompt );
# Update session_id
$session_id = $self->{sessionInfo}->{_session_id} || $self->{id};
}
# Check openid scope
......@@ -795,6 +798,10 @@ sub issuerForAuthUser {
}
}
# Create session_state
my $session_state =
$self->createSessionState( $session_id, $client_id );
# Authorization Code Flow
if ( $flow eq "authorizationcode" ) {
......@@ -816,10 +823,11 @@ sub issuerForAuthUser {
);
# Build Response
my $response_url =
$self->buildAuthorizationCodeAuthnResponse(
my $response_url = $self->buildAuthorizationCodeAuthnResponse(
$oidc_request->{'redirect_uri'},
$code, $oidc_request->{'state'} );
$code, $oidc_request->{'state'},
$session_state
);
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->{'urldc'} = $response_url;
......@@ -916,11 +924,11 @@ sub issuerForAuthUser {
->{oidcRPMetaDataOptionsAccessTokenExpiration};
# Build Response
my $response_url =
$self->buildImplicitAuthnResponse(
my $response_url = $self->buildImplicitAuthnResponse(
$oidc_request->{'redirect_uri'},
$access_token, $id_token, $expires_in,
$oidc_request->{'state'} );
$access_token, $id_token, $expires_in, $oidc_request->{'state'},
$session_state
);
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->{'urldc'} = $response_url;
......@@ -1037,10 +1045,12 @@ sub issuerForAuthUser {
->{oidcRPMetaDataOptionsAccessTokenExpiration};
# Build Response
my $response_url =
$self->buildHybridAuthnResponse( $oidc_request->{'redirect_uri'},
my $response_url = $self->buildHybridAuthnResponse(
$oidc_request->{'redirect_uri'},
$code, $access_token, $id_token, $expires_in,
$oidc_request->{'state'} );
$oidc_request->{'state'},
$session_state
);
$self->lmLog( "Redirect user to $response_url", 'debug' );
$self->{'urldc'} = $response_url;
......
......@@ -282,14 +282,15 @@ sub buildAuthorizationCodeAuthnRequest {
return $authn_uri;
}
## @method String buildAuthorizationCodeAuthnResponse(String redirect_uri, String code, String state)
## @method String buildAuthorizationCodeAuthnResponse(String redirect_uri, String code, String state, String session_state)
# Build Authentication Response URI for Authorization Code Flow
# @param redirect_uri Redirect URI
# @param code Code
# @param state State
# @param session_state Session state
# return String Authentication Response URI
sub buildAuthorizationCodeAuthnResponse {
my ( $self, $redirect_uri, $code, $state ) = splice @_;
my ( $self, $redirect_uri, $code, $state, $session_state ) = splice @_;
my $response_url = $redirect_uri;
......@@ -301,19 +302,25 @@ sub buildAuthorizationCodeAuthnResponse {
$response_url .= "&state=" . uri_escape($state);
}
if ($session_state) {
$response_url .= "&session_state=" . uri_escape($session_state);
}
return $response_url;
}
## @method String buildImplicitAuthnResponse(String redirect_uri, String access_token, String id_token, String expires_in, String state)
## @method String buildImplicitAuthnResponse(String redirect_uri, String access_token, String id_token, String expires_in, String state, String session_state)
# Build Authentication Response URI for Implicit Flow
# @param redirect_uri Redirect URI
# @param access_token Access token
# @param id_token ID token
# @param expires_in Expiration of access token
# @param state State
# @param session_state Session state
# return String Authentication Response URI
sub buildImplicitAuthnResponse {
my ( $self, $redirect_uri, $access_token, $id_token, $expires_in, $state )
my ( $self, $redirect_uri, $access_token, $id_token, $expires_in, $state,
$session_state )
= splice @_;
my $response_url = $redirect_uri;
......@@ -333,10 +340,14 @@ sub buildImplicitAuthnResponse {
$response_url .= "&state=" . uri_escape($state);
}
if ($session_state) {
$response_url .= "&session_state=" . uri_escape($session_state);
}
return $response_url;
}
## @method String buildHybridAuthnResponse(String redirect_uri, String code, String access_token, String id_token, String expires_in, String state)
## @method String buildHybridAuthnResponse(String redirect_uri, String code, String access_token, String id_token, String expires_in, String state, String session_state)
# Build Authentication Response URI for Hybrid Flow
# @param redirect_uri Redirect URI
# @param code Code
......@@ -344,11 +355,13 @@ sub buildImplicitAuthnResponse {
# @param id_token ID token
# @param expires_in Expiration of access token
# @param state State
# @param session_state Session state
# return String Authentication Response URI
sub buildHybridAuthnResponse {
my ( $self, $redirect_uri, $code, $access_token, $id_token, $expires_in,
$state )
= splice @_;
my (
$self, $redirect_uri, $code, $access_token,
$id_token, $expires_in, $state, $session_state
) = splice @_;
my $response_url = $redirect_uri;
......@@ -371,6 +384,10 @@ sub buildHybridAuthnResponse {
$response_url .= "&state=" . uri_escape($state);
}
if ($session_state) {
$response_url .= "&session_state=" . uri_escape($session_state);
}
return $response_url;
}
......@@ -1356,6 +1373,22 @@ sub buildLogoutResponse {
return $response_url;
}
## @method String createSessionState(String session_id, String client_id)
# Create session_state parameter
# @param session_id Session ID
# @param client_id CLient ID
# return String Session state
sub createSessionState {
my ( $self, $session_id, $client_id ) = splice @_;
my $salt = encode_base64url( $self->{cipher}->encrypt($client_id) );
my $data = $client_id . " " . $session_id . " " . $salt;
my $session_state = sha256_base64($data) . "." . $salt;
return $session_state;
}
1;
__END__
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment