Catalyst-Plugin-OpenIDConnect

 view release on metacpan or  search on metacpan

lib/Catalyst/Plugin/OpenIDConnect/Role/Store.pm  view on Meta::CPAN

package Catalyst::Plugin::OpenIDConnect::Role::Store;

use Moose::Role;
use namespace::autoclean;

=head1 NAME

Catalyst::Plugin::OpenIDConnect::Role::Store - Role defining the OIDC token store interface

=head1 DESCRIPTION

This Moose role defines the interface that any OIDC store backend must implement.
All store classes (in-memory, Redis, database, etc.) must consume this role.

=head1 REQUIRED METHODS

=head2 create_authorization_code($client_id, $user_data, $scope, $redirect_uri, $nonce, $pkce)

Creates and persists an authorization code for the given parameters.

C<$user_data> must be a plain (unblessed) hashref of the user's OIDC claims,
as returned by C<get_user_claims()>. Callers are responsible for extracting
claims from the live user object before calling this method; doing so here
(rather than in the store) ensures that any application-specific user object
(DBIx::Class row, LDAP entry, etc.) is resolved while the Catalyst context
is still available, and that the store only ever handles plain serialisable data.

C<$pkce> is an optional hashref with keys C<code_challenge> and
C<code_challenge_method>. When supplied the values are stored alongside the
code so that the token endpoint can verify the RFC 7636 PKCE proof. Omit or
pass C<undef> for flows that do not use PKCE.

Returns the authorization code string.

=cut

requires 'create_authorization_code';

=head2 get_authorization_code($code)

Retrieves an authorization code by its value. Must return C<undef> if the code
does not exist or has expired.

Returns a hashref containing at minimum: C<client_id>, C<user>, C<scope>,
C<redirect_uri>, C<nonce>, C<created_at>, C<expires_at>.

=cut

requires 'get_authorization_code';

=head2 consume_authorization_code($code)

Atomically removes an authorization code and returns its data.  This is the
primary method the token endpoint must use to redeem a code; it enforces
single-use semantics without a TOCTOU race condition.

Returns the code data hashref (same structure as C<get_authorization_code>)
on success, or C<undef> if the code does not exist, has already been consumed,
or has expired.

B<Important:> Callers must not call C<get_authorization_code> followed by
C<consume_authorization_code>.  Use C<consume_authorization_code> alone.

=cut

requires 'consume_authorization_code';

=head2 store_refresh_token($jti, $sub, $client_id, $ttl)

Stores a refresh token identifier (JTI) with associated metadata and a TTL
(in seconds).  Called at token-issuance time so that the token endpoint can
later verify the token has not been used or revoked.

=cut

requires 'store_refresh_token';

=head2 consume_refresh_token($jti)

Atomically checks that the JTI exists in the store and removes it.  Returns a
hashref containing at minimum C<sub> and C<client_id> on success, or C<undef>
if the JTI is absent (token has already been used, was explicitly revoked, or
has expired).

Callers B<must> treat a C<undef> return as C<invalid_grant> and reject the
request; this is the single-use enforcement mechanism.

=cut

requires 'consume_refresh_token';

=head2 revoke_refresh_tokens_for_user($sub)

Revokes all outstanding refresh tokens for the given subject identifier across
all clients.  Called at logout time to ensure that an attacker who has stolen a
refresh token cannot continue using it after the legitimate user has logged out.

=cut

requires 'revoke_refresh_tokens_for_user';

1;

=head1 AUTHOR

Tim F. Rayner

=head1 LICENSE

This library is free software; you can redistribute it and/or modify
it under the terms of The Artistic License 2.0.

=cut



( run in 1.588 second using v1.01-cache-2.11-cpan-9581c071862 )