Lemonldap-NG-Portal
view release on metacpan or search on metacpan
t/32-OIDC-Code-Flow-with-2F.t
t/32-OIDC-Double-Keys-without-kid.t
t/32-OIDC-Double-Keys.t
t/32-OIDC-Grant-Type-OAuth2-Handler-Rules.t
t/32-OIDC-Grant-Type-Rules.t
t/32-OIDC-Hook-GetRpConfig.t
t/32-OIDC-Hooks.t
t/32-OIDC-ID-Token.t
t/32-OIDC-JWE.t
t/32-OIDC-JWS-client_secret_jwt.t
t/32-OIDC-JWS-private_key_jwt.t
t/32-OIDC-JWT-type-header.t
t/32-OIDC-login_hint.t
t/32-OIDC-Logout-from-RP-bypass-confirm.t
t/32-OIDC-Logout-redirect-uri-not-allowed.t
t/32-OIDC-Logout-unauth.t
t/32-OIDC-Macro.t
t/32-OIDC-Metadata.t
t/32-OIDC-Native-SSO.t
t/32-OIDC-no-Metadata.t
t/32-OIDC-Offline-Session.t
t/32-OIDC-Password-Grant-with-Bruteforce-and-Choice.t
t/32-OIDC-Password-Grant.t
t/32-OIDC-prompt-none.t
t/32-OIDC-redirect_uri-filter.t
t/32-OIDC-Refresh-Token.t
t/32-OIDC-Register-with-bad-redirect-uri.t
t/32-OIDC-Register.t
t/32-OIDC-Request-Uri.t
t/32-OIDC-Response-Modes.t
t/32-OIDC-RP-rule.t
t/32-OIDC-strict-JWS-private_key_jwt.t
t/32-OIDC-Token-Exchange.t
t/32-OIDC-Token-Introspection.t
t/32-OIDC-Token-Security.t
t/32-RemoveOIDCToken.t
t/33-Auth-and-issuer-OpenID2.t
t/34-Auth-Proxy-and-REST-Server.t
t/34-Auth-Proxy-and-REST-sessions.t
t/34-Auth-Proxy-and-SOAP-Server.t
t/35-My-session.t
t/35-REST-auth-password-server.t
lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm view on Meta::CPAN
my $authMethod;
if ( $oidc_request->{'request'} ) {
if ( my ( $request, $alg ) =
$self->decodeJWT( $oidc_request->{'request'}, undef, $rp ) )
{
$self->logger->debug("JWT signature request verified");
$authMethod =
$alg =~ /^HS/i
? 'client_secret_jwt'
: 'private_key_jwt';
# Override OIDC parameters by request content
foreach ( keys %$request ) {
$self->logger->debug( "Override $_ OIDC param"
. " by value present in request parameter" );
if ( $_ eq "client_id" or $_ eq "response_type" ) {
if ( $oidc_request->{$_} ne $request->{$_} ) {
return $self->_failAuthorize(
$req,
lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm view on Meta::CPAN
'token_endpoint'" . " in JSON metadata for OP $op"
);
return 0;
}
my $auth_method =
$self->opOptions->{$op}->{oidcOPMetaDataOptionsTokenEndpointAuthMethod}
|| 'client_secret_post';
unless ( $auth_method =~
/^(?:client_secret_(?:(?:pos|jw)t|basic)|private_key_jwt)$/ )
{
$self->logger->error(
"Bad authentication method on token endpoint for OP $op");
return 0;
}
$self->logger->debug(
"Using auth method $auth_method to token endpoint $access_token_uri");
my $response;
lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm view on Meta::CPAN
"Authorization" => "Basic "
. encode_base64( "$client_id:$client_secret", '' ),
"Content-Type" => 'application/x-www-form-urlencoded',
);
}
else {
if ( $auth_method eq "client_secret_post" ) {
$token_request_params->{client_id} = $client_id;
$token_request_params->{client_secret} = $client_secret;
}
elsif ( $auth_method =~ /^(?:client_secret|private_key)_jwt$/ ) {
my $alg = $self->opOptions->{$op}
->{oidcOPMetaDataOptionsTokenEndpointAuthSigAlg};
if ( !$alg ) {
my $default_signing_key_type =
$self->_getKeyType(
$self->get_public_key("default-oidc-sig") );
$alg =
$auth_method eq 'client_secret_jwt' ? 'HS256'
lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm view on Meta::CPAN
{
# Signature must be valid
my ( $jwt, $alg ) =
$self->decodeJWT( $jws, undef, $rp );
if ($jwt) {
$scheme =
$alg =~ /^HS/i
? 'client_secret_jwt'
: 'private_key_jwt';
# Token must be time-valid
if ( $jwt->{aud} and $jwt->{exp} ) {
if ( time < $jwt->{exp} ) {
$self->logger->debug("JWS is valid");
# Then export the client_id !
$client_id = $_clientId;
}
else {
lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm view on Meta::CPAN
}
# c) asymetric algorithms
else {
my $key_list =
$isRp
? $self->opOptions->{$partner}->{oidcOPMetaDataOptionsSigningKey}
: $self->rpOptions->{$partner}->{oidcRPMetaDataOptionsSigningKey};
$key_list ||= $self->conf->{oidcServiceSignatureKey};
my $key_id = ( split( /\s*,\s*/, $key_list ) )[0];
my $priv_key = $self->get_private_key($key_id);
unless ($priv_key) {
$self->logger->error(
"Algorithm $alg needs a Private Key to sign JWT");
return;
}
my $key_type = $self->_getKeyType($priv_key);
my $required_key_type = $self->_getRequiredKeyTypeForAlg($alg);
if ( $required_key_type and $key_type ne $required_key_type ) {
lib/Lemonldap/NG/Portal/Lib/SAML.pm view on Meta::CPAN
return 1;
}
# METHODS
sub loadService {
my ($self) = @_;
# Check if certificate is available
my $signing_key =
$self->get_private_key( $self->_get_default_signing_key_name );
unless ($signing_key) {
$self->logger->error(
'SAML private and public key not found in configuration');
return 0;
}
my $serviceCertificate;
if ( $self->conf->{samlServiceUseCertificateInResponse}
and $signing_key->{public} =~ /CERTIFICATE/ )
{
lib/Lemonldap/NG/Portal/Lib/SAML.pm view on Meta::CPAN
}
# Get metadata from configuration
$self->logger->debug("Get Metadata for this service");
my $metadata = $self->_get_metadata_xml( undef, "all" );
$self->logger->debug("Create Lasso server");
my $encryption_key =
$self->get_private_key( $self->_get_default_encryption_key_name );
# Create Lasso server with service metadata
my $server = $self->createServer(
$metadata,
$signing_key->{private},
$signing_key->{password},
# use signature cert for encryption unless defined
(
$encryption_key
lib/Lemonldap/NG/Portal/Lib/SAML.pm view on Meta::CPAN
if ( $error->{code} ) {
$self->p->lmLog(
"Lasso error code " . $error->{code} . ": " . $error->{message},
$level );
return ( 0, $error->{code} );
}
return ( 1, undef );
}
## @method Lasso::Server createServer(string metadata, string private_key, string private_key_password, string private_key_enc, string private_key_enc_password, string certificate)
# Load service metadata and create Lasso::Server object
# @param metadata SAML metadata
# @param private_key private key
# @param private_key_password optional private key password
# @param private_key_enc optional private key for encryption
# @param private_key_enc_password optional private key password for encryption
# @param certificate optional certificate
# @return Lasso::Server object
sub createServer {
my ( $self, $metadata, $private_key, $private_key_password,
$private_key_enc, $private_key_enc_password, $certificate )
= @_;
my $server;
# https://dev.entrouvert.org/issues/51415
my $save_env = $ENV{'SSL_CERT_FILE'};
$ENV{'SSL_CERT_FILE'} = "/dev/null";
eval {
$server = Lasso::Server::new_from_buffers( $metadata, $private_key,
$private_key_password, $certificate );
# Set private key for encryption
if ( $server && $private_key_enc ) {
Lasso::Server::set_encryption_private_key_with_password( $server,
$private_key_enc, $private_key_enc_password );
}
};
if ( defined $save_env ) {
$ENV{'SSL_CERT_FILE'} = $save_env;
}
else {
delete $ENV{'SSL_CERT_FILE'};
}
lib/Lemonldap/NG/Portal/Lib/SAML.pm view on Meta::CPAN
}
## @method boolean setProviderSignatureMethod(Lasso::Provider provider, int signature_method)
# Set signature method on a provider
# @param provider Lasso::Provider object
# @param signature_method Lasso signature method
# @return result
sub setProviderSignatureMethod {
my ( $self, $provider, $signature_method ) = @_;
my $key = $self->get_private_key( $self->_get_default_signing_key_name );
return $self->setProviderSignatureOptions( $provider, $signature_method,
$key );
}
sub setProviderSignatureOptions {
my ( $self, $provider, $signature_method, $key ) = @_;
# We have to use an intermediate variable to avoid interferences between
# Lasso binding and tied hashes (#3105)
my $priv = $key->{private};
lib/Lemonldap/NG/Portal/Lib/SAML.pm view on Meta::CPAN
= @_;
if ( $signature_method or $signature_key_list ) {
$signature_key_list //= "";
my $signature_key = ( split( /\s*,\s*/, $signature_key_list ) )[0];
$signature_method ||= $self->getDefaultSignatureMethod;
my $lasso_signature_method =
$self->getSignatureMethod($signature_method);
$signature_key ||= $self->_get_default_signing_key_name;
my $key = $self->get_private_key($signature_key);
# Fallback to default key if custom key was not found
if ( !$key ) {
$signature_key = $self->_get_default_signing_key_name;
$key = $self->get_private_key($signature_key);
}
$self->logger->debug( "Setting signature key $signature_key"
. " and signature method $signature_method"
. " on $log_description" );
unless (
$self->setProviderSignatureOptions(
$self->lassoServer->get_provider($entityID),
$lasso_signature_method, $key
t/32-OIDC-JWS-private_key_jwt.t view on Meta::CPAN
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsScope => "openid profile",
oidcOPMetaDataOptionsStoreIDToken => 0,
oidcOPMetaDataOptionsDisplay => "",
oidcOPMetaDataOptionsClientID => "rpid",
oidcOPMetaDataOptionsConfigurationURI =>
"https://auth.op.com/.well-known/openid-configuration",
oidcOPMetaDataOptionsAuthnEndpointAuthMethod => 'jws',
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
'private_key_jwt',
}
},
oidcServicePrivateKeySig => oidc_key_op_private_sig,
oidcServicePublicKeySig => oidc_cert_op_public_sig,
oidcServiceKeyIdSig => 'aabbcc',
oidcOPMetaDataJWKS => {
op => $jwks,
},
oidcOPMetaDataJSON => {
op => $metadata,
t/32-OIDC-bad-auth-method.t view on Meta::CPAN
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsScope => "openid profile",
oidcOPMetaDataOptionsStoreIDToken => 0,
oidcOPMetaDataOptionsDisplay => "",
oidcOPMetaDataOptionsClientID => "rpid",
oidcOPMetaDataOptionsConfigurationURI =>
"https://auth.op.com/.well-known/openid-configuration",
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
'private_key_jwt',
}
},
oidcServicePrivateKeySig => oidc_key_op_private_sig,
oidcServicePublicKeySig => oidc_cert_op_public_sig,
oidcServiceKeyIdSig => 'aabbcc',
oidcOPMetaDataJWKS => {
op => $jwks,
},
oidcOPMetaDataJSON => {
op => $metadata,
t/32-OIDC-strict-JWS-private_key_jwt.t view on Meta::CPAN
name => "cn"
}
},
oidcServiceAllowHybridFlow => 1,
oidcServiceAllowImplicitFlow => 1,
oidcServiceAllowAuthorizationCodeFlow => 1,
oidcRPMetaDataOptions => {
rp => {
oidcRPMetaDataOptionsDisplayName => "RP",
oidcRPMetaDataOptionsClientID => "rpid",
oidcRPMetaDataOptionsAuthMethod => 'private_key_jwt',
oidcRPMetaDataOptionsAuthRequiredForAuthorize => 1,
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
oidcRPMetaDataOptionsIDTokenSignAlg => "RS256",
oidcRPMetaDataOptionsBypassConsent => 0,
oidcRPMetaDataOptionsUserIDAttr => "",
oidcRPMetaDataOptionsUserInfoSignAlg => 'RS256',
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
oidcRPMetaDataOptionsLogoutUrl =>
'http://auth.rp.com/oauth2/blogout',
oidcRPMetaDataOptionsLogoutType => 'back',
t/32-OIDC-strict-JWS-private_key_jwt.t view on Meta::CPAN
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsScope => "openid profile",
oidcOPMetaDataOptionsStoreIDToken => 0,
oidcOPMetaDataOptionsDisplay => "",
oidcOPMetaDataOptionsClientID => "rpid",
oidcOPMetaDataOptionsConfigurationURI =>
"https://auth.op.com/.well-known/openid-configuration",
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
'private_key_jwt',
oidcOPMetaDataOptionsAuthnEndpointAuthMethod => 'jws',
}
},
oidcServicePrivateKeySig => oidc_key_op_private_sig,
oidcServicePublicKeySig => oidc_cert_op_public_sig,
oidcServiceKeyIdSig => 'aabbcc',
oidcOPMetaDataJWKS => {
op => $jwks,
},
oidcOPMetaDataJSON => {
( run in 0.879 second using v1.01-cache-2.11-cpan-73692580452 )