Catalyst-Plugin-OpenIDConnect
view release on metacpan or search on metacpan
Parameters:
- `response_type` (required): "code"
- `client_id` (required): Client ID
- `redirect_uri` (required): Registered redirect URI
- `scope` (optional): Space-separated list of scopes (default: "openid")
- `state` (recommended): CSRF protection token
- `nonce` (optional): String to bind to session
### Token Endpoint
```
POST /openidconnect/token
Content-Type: application/x-www-form-urlencoded
```
Parameters:
- `grant_type` (required): "authorization_code"
- `code` (required): Authorization code
- `client_id` (required): Client ID
- `client_secret` (required): Client secret
- `redirect_uri` (required): Must match the one used in authorization request
### UserInfo Endpoint
```
GET /openidconnect/userinfo
Authorization: Bearer <access_token>
```
Returns:
```json
{
"sub": "user-id",
"name": "User Name",
"email": "user@example.com",
"picture": "https://example.com/avatar.jpg"
}
```
### Discovery Endpoint
```
GET /.well-known/openid-configuration
```
Returns the OpenID Connect provider configuration in JSON format.
## Configuration Reference
### Issuer Configuration
- `url`: The issuer URL (used as 'iss' claim in tokens)
- `private_key_file`: Path to RSA private key for signing tokens
- `public_key_file`: Path to RSA public key for verification (auto-derived from private key if not provided)
- `key_id`: Key identifier (used in JWT header)
### Client Configuration
- `client_id`: Unique client identifier
- `client_secret`: Client secret for token endpoint
- `redirect_uris`: Arrayref or whitespace-separated string of URIs the client is permitted to redirect to after authorization. At least one entry is required.
- `post_logout_redirect_uris`: Arrayref or whitespace-separated string of URIs the client is permitted to redirect to after logout. Required when the client will use `post_logout_redirect_uri` at the logout endpoint.
- `response_types`: Space-separated response types (e.g., "code" or "code id_token")
- `grant_types`: Space-separated grant types (e.g., "authorization_code refresh_token")
- `scope`: Space-separated list of scopes the client can request
### User Claims Mapping
Map from OpenID Connect claim names to user object attributes:
```
<user_claims>
sub = user.id
name = user.display_name
email = user.email_address
email_verified = user.email_confirmed
phone_number = user.phone
</user_claims>
```
## Standard Claims
Supported OpenID Connect standard claims:
- `sub`: Unique subject identifier
- `name`: Full name
- `given_name`: Given (first) name
- `family_name`: Family (last) name
- `middle_name`: Middle name
- `nickname`: Nickname
- `preferred_username`: Preferred username
- `profile`: Profile URL
- `picture`: Picture/avatar URL
- `website`: Website URL
- `email`: Email address
- `email_verified`: Whether email is verified (boolean)
- `phone_number`: Phone number
- `phone_number_verified`: Whether phone is verified (boolean)
- `gender`: Gender
- `birthdate`: Birth date (YYYY-MM-DD)
- `zoneinfo`: Timezone
- `locale`: Locale/language
- `updated_at`: Profile update timestamp
## Token Refresh
To refresh an access token:
```perl
my $new_tokens = $c->openidconnect->refresh_token(
client_id => 'client-id',
client_secret => 'client-secret',
refresh_token => 'refresh-token-value'
);
```
## Securing Endpoints
Use Catalyst roles and attributes to protect endpoints:
```perl
sub profile : Local : RequireUser {
my ( $self, $c ) = @_;
# User is authenticated, $c->user is available
}
```
## Advanced Topics
### Custom Scope Handling
Implement a custom scope handler:
```perl
$c->openidconnect->scope_handler(sub {
my ($c, $scope_string) = @_;
# Custom scope validation/processing
});
```
### Custom Claims Provider
Provide custom user claims:
```perl
$c->openidconnect->claims_provider(sub {
my ($c, $user) = @_;
return {
sub => $user->id,
name => $user->full_name,
custom_claim => $user->some_attribute,
};
});
```
## Testing
Run tests with:
```bash
prove -l t/
```
## License
This module is available under The Artistic License 2.0 (GPL Compatible). See LICENSE file for details.
## Author
Tim F. Rayner
( run in 0.944 second using v1.01-cache-2.11-cpan-9581c071862 )