Commit ad2c67c2 authored by Clément OUDOT's avatar Clément OUDOT

Support Request URI (#184)

parent 159f71fd
......@@ -69,10 +69,10 @@ $configuration->{token_endpoint_auth_methods_supported} =
# $configuration->{claims_locales_supported}
# $configuration->{ui_locales_supported}
# $configuration->{claims_parameter_supported}
$configuration->{request_parameter_supported} = "true";
$configuration->{request_uri_parameter_supported} = "false";
$configuration->{request_parameter_supported} = "true";
$configuration->{request_uri_parameter_supported} = "true";
$configuration->{require_request_uri_registration} = "false";
# $configuration->{require_request_uri_registration}
# $configuration->{op_policy_uri}
# $configuration->{op_tos_uri}
......
......@@ -53,7 +53,7 @@ sub issuerForUnAuthUser {
# Get and save parameters
my $oidc_request = {};
foreach my $param (
qw/response_type scope client_id state redirect_uri nonce response_mode display prompt max_age ui_locales id_token_hint login_hint acr_values request/
qw/response_type scope client_id state redirect_uri nonce response_mode display prompt max_age ui_locales id_token_hint login_hint acr_values request request_uri/
)
{
$oidc_request->{$param} = $self->getHiddenFormValue($param)
......@@ -76,7 +76,20 @@ sub issuerForUnAuthUser {
"OIDC $flow flow requested (response type: $response_type)",
'debug' );
# Extract request parameter
# Extract request_uri/request parameter
if ( $oidc_request->{'request_uri'} ) {
my $request =
$self->getRequestJWT( $oidc_request->{'request_uri'} );
if ($request) {
$oidc_request->{'request'} = $request;
}
else {
$self->lmLog( "Error with Request URI resolution", 'error' );
return PE_ERROR;
}
}
if ( $oidc_request->{'request'} ) {
my $request = $self->getJWTJSONData( $oidc_request->{'request'} );
......@@ -514,7 +527,7 @@ sub issuerForAuthUser {
# Get and save parameters
my $oidc_request = {};
foreach my $param (
qw/response_type scope client_id state redirect_uri nonce response_mode display prompt max_age ui_locales id_token_hint login_hint acr_valuesi request/
qw/response_type scope client_id state redirect_uri nonce response_mode display prompt max_age ui_locales id_token_hint login_hint acr_valuesi request request_uri/
)
{
$oidc_request->{$param} = $self->getHiddenFormValue($param)
......@@ -537,7 +550,20 @@ sub issuerForAuthUser {
"OIDC $flow flow requested (response type: $response_type)",
'debug' );
# Extract request parameter
# Extract request_uri/request parameter
if ( $oidc_request->{'request_uri'} ) {
my $request =
$self->getRequestJWT( $oidc_request->{'request_uri'} );
if ($request) {
$oidc_request->{'request'} = $request;
}
else {
$self->lmLog( "Error with Request URI resolution", 'error' );
return PE_ERROR;
}
}
if ( $oidc_request->{'request'} ) {
my $request = $self->getJWTJSONData( $oidc_request->{'request'} );
......
......@@ -814,12 +814,14 @@ sub verifyJWTSignature {
# Check signature with client secret
my $client_secret;
$client_secret =
$client_secret =
$self->{oidcOPMetaDataOptions}->{$op}
->{oidcOPMetaDataOptionsClientSecret} if $op;
$client_secret =
->{oidcOPMetaDataOptionsClientSecret}
if $op;
$client_secret =
$self->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsClientSecret} if $rp;
->{oidcRPMetaDataOptionsClientSecret}
if $rp;
my $digest;
......@@ -856,10 +858,10 @@ sub verifyJWTSignature {
if ( $alg eq "RS256" or $alg eq "RS384" or $alg eq "RS512" ) {
if ($rp) {
$self->lmLog( "Algorithm $alg not supported", 'debug' );
return 0;
}
if ($rp) {
$self->lmLog( "Algorithm $alg not supported", 'debug' );
return 0;
}
# The public key is needed
unless ( $self->{_oidcOPList}->{$op}->{jwks} ) {
......@@ -1426,6 +1428,23 @@ sub createSessionState {
return $session_state;
}
## @method String getRequestJWT(String request_uri)
# Get request JWT from request uri
# @param request_uri request uri
# return String request JWT
sub getRequestJWT {
my ( $self, $request_uri ) = splice @_;
my $response = $self->ua->get($request_uri);
if ( $response->is_error ) {
$self->lmLog( "Unable to get request JWT on $request_uri", 'error' );
return;
}
return $response->decoded_content;
}
1;
__END__
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment