Lemonldap-NG-Portal
view release on metacpan or search on metacpan
t/32-OIDC-Code-Flow-with-2F.t
t/32-OIDC-Double-Keys-without-kid.t
t/32-OIDC-Double-Keys.t
t/32-OIDC-Grant-Type-OAuth2-Handler-Rules.t
t/32-OIDC-Grant-Type-Rules.t
t/32-OIDC-Hook-GetRpConfig.t
t/32-OIDC-Hooks.t
t/32-OIDC-ID-Token.t
t/32-OIDC-JWE.t
t/32-OIDC-JWS-client_secret_jwt.t
t/32-OIDC-JWS-private_key_jwt.t
t/32-OIDC-JWT-type-header.t
t/32-OIDC-login_hint.t
t/32-OIDC-Logout-from-RP-bypass-confirm.t
t/32-OIDC-Logout-redirect-uri-not-allowed.t
t/32-OIDC-Macro.t
t/32-OIDC-Metadata.t
t/32-OIDC-Native-SSO.t
t/32-OIDC-no-Metadata.t
t/32-OIDC-Offline-Session.t
t/32-OIDC-OP-claims-in-accesstoken.t
t/32-OIDC-Password-Grant-with-Bruteforce-and-Choice.t
t/32-OIDC-Password-Grant.t
t/32-OIDC-prompt-none.t
t/32-OIDC-redirect_uri-filter.t
t/32-OIDC-Refresh-Token.t
t/32-OIDC-Register-with-bad-redirect-uri.t
t/32-OIDC-Register.t
t/32-OIDC-Request-Uri.t
t/32-OIDC-Response-Modes.t
t/32-OIDC-RP-rule.t
t/32-OIDC-strict-JWS-private_key_jwt.t
t/32-OIDC-Token-Exchange.t
t/32-OIDC-Token-Introspection.t
t/32-OIDC-Token-Security.t
t/33-Auth-and-issuer-OpenID2.t
t/34-Auth-Proxy-and-REST-Server.t
t/34-Auth-Proxy-and-REST-sessions.t
t/34-Auth-Proxy-and-SOAP-Server.t
t/35-My-session.t
t/35-REST-auth-password-server.t
t/35-REST-config-backend.t
lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm view on Meta::CPAN
my $authMethod;
if ( $oidc_request->{'request'} ) {
if ( my ( $request, $alg ) =
$self->decodeJWT( $oidc_request->{'request'}, undef, $rp ) )
{
$self->logger->debug("JWT signature request verified");
$authMethod =
$alg =~ /^HS/i
? 'client_secret_jwt'
: 'private_key_jwt';
# Override OIDC parameters by request content
foreach ( keys %$request ) {
$self->logger->debug( "Override $_ OIDC param"
. " by value present in request parameter" );
if ( $_ eq "client_id" or $_ eq "response_type" ) {
if ( $oidc_request->{$_} ne $request->{$_} ) {
return $self->_failAuthorize(
$req,
lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm view on Meta::CPAN
'token_endpoint'" . " in JSON metadata for OP $op"
);
return 0;
}
my $auth_method =
$self->opOptions->{$op}->{oidcOPMetaDataOptionsTokenEndpointAuthMethod}
|| 'client_secret_post';
unless ( $auth_method =~
/^(?:client_secret_(?:(?:pos|jw)t|basic)|private_key_jwt)$/ )
{
$self->logger->error(
"Bad authentication method on token endpoint for OP $op");
return 0;
}
$self->logger->debug(
"Using auth method $auth_method to token endpoint $access_token_uri");
my $response;
lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm view on Meta::CPAN
"Authorization" => "Basic "
. encode_base64( "$client_id:$client_secret", '' ),
"Content-Type" => 'application/x-www-form-urlencoded',
);
}
else {
if ( $auth_method eq "client_secret_post" ) {
$token_request_params->{client_id} = $client_id;
$token_request_params->{client_secret} = $client_secret;
}
elsif ( $auth_method =~ /^(?:client_secret|private_key)_jwt$/ ) {
# TODO: add parameter to choose alg
my $alg =
$auth_method eq 'client_secret_jwt' ? 'HS256'
: $self->conf->{oidcServiceKeyTypeSig} eq 'EC' ? 'ES256'
: 'RS256';
my $time = time;
my $jws = $self->createJWTForOP( {
iss => $client_id,
sub => $client_id,
lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm view on Meta::CPAN
{
# Signature must be valid
my ( $jwt, $alg ) =
$self->decodeJWT( $jws, undef, $rp );
if ($jwt) {
$scheme =
$alg =~ /^HS/i
? 'client_secret_jwt'
: 'private_key_jwt';
# Token must be time-valid
if ( $jwt->{aud} and $jwt->{exp} ) {
if ( time < $jwt->{exp} ) {
$self->logger->debug("JWS is valid");
# Then export the client_id !
$client_id = $_clientId;
}
else {
lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm view on Meta::CPAN
sub key2jwks {
my ( $self, $key, $type ) = @_;
if ( $type and $type eq 'EC' ) {
require Crypt::PK::ECC;
my $eck = Crypt::PK::ECC->new();
$eck->import_key( \$key );
return $eck->export_key_jwk( 'public', 1 );
}
else {
my $rsa_pub = Crypt::OpenSSL::RSA->new_private_key($key);
my @params = $rsa_pub->get_key_parameters();
return {
n => encode_base64url( $params[0]->to_bin(), "" ),
e => encode_base64url( $params[1]->to_bin(), "" ),
kty => 'RSA',
};
}
}
lib/Lemonldap/NG/Portal/Lib/SAML.pm view on Meta::CPAN
if ( $error->{code} ) {
$self->p->lmLog(
"Lasso error code " . $error->{code} . ": " . $error->{message},
$level );
return ( 0, $error->{code} );
}
return ( 1, undef );
}
## @method Lasso::Server createServer(string metadata, string private_key, string private_key_password, string private_key_enc, string private_key_enc_password, string certificate)
# Load service metadata and create Lasso::Server object
# @param metadata SAML metadata
# @param private_key private key
# @param private_key_password optional private key password
# @param private_key_enc optional private key for encryption
# @param private_key_enc_password optional private key password for encryption
# @param certificate optional certificate
# @return Lasso::Server object
sub createServer {
my ( $self, $metadata, $private_key, $private_key_password,
$private_key_enc, $private_key_enc_password, $certificate )
= @_;
my $server;
# https://dev.entrouvert.org/issues/51415
my $save_env = $ENV{'SSL_CERT_FILE'};
$ENV{'SSL_CERT_FILE'} = "/dev/null";
eval {
$server = Lasso::Server::new_from_buffers( $metadata, $private_key,
$private_key_password, $certificate );
# Set private key for encryption
if ( $server && $private_key_enc ) {
Lasso::Server::set_encryption_private_key_with_password( $server,
$private_key_enc, $private_key_enc_password );
}
};
if ( defined $save_env ) {
$ENV{'SSL_CERT_FILE'} = $save_env;
}
else {
delete $ENV{'SSL_CERT_FILE'};
}
t/32-OIDC-JWS-private_key_jwt.t view on Meta::CPAN
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsScope => "openid profile",
oidcOPMetaDataOptionsStoreIDToken => 0,
oidcOPMetaDataOptionsDisplay => "",
oidcOPMetaDataOptionsClientID => "rpid",
oidcOPMetaDataOptionsConfigurationURI =>
"https://auth.op.com/.well-known/openid-configuration",
oidcOPMetaDataOptionsAuthnEndpointAuthMethod => 'jws',
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
'private_key_jwt',
}
},
oidcServicePrivateKeySig => oidc_key_op_private_sig,
oidcServicePublicKeySig => oidc_cert_op_public_sig,
oidcServiceKeyIdSig => 'aabbcc',
oidcOPMetaDataJWKS => {
op => $jwks,
},
oidcOPMetaDataJSON => {
op => $metadata,
t/32-OIDC-bad-auth-method.t view on Meta::CPAN
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsScope => "openid profile",
oidcOPMetaDataOptionsStoreIDToken => 0,
oidcOPMetaDataOptionsDisplay => "",
oidcOPMetaDataOptionsClientID => "rpid",
oidcOPMetaDataOptionsConfigurationURI =>
"https://auth.op.com/.well-known/openid-configuration",
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
'private_key_jwt',
}
},
oidcServicePrivateKeySig => oidc_key_op_private_sig,
oidcServicePublicKeySig => oidc_cert_op_public_sig,
oidcServiceKeyIdSig => 'aabbcc',
oidcOPMetaDataJWKS => {
op => $jwks,
},
oidcOPMetaDataJSON => {
op => $metadata,
t/32-OIDC-strict-JWS-private_key_jwt.t view on Meta::CPAN
name => "cn"
}
},
oidcServiceAllowHybridFlow => 1,
oidcServiceAllowImplicitFlow => 1,
oidcServiceAllowAuthorizationCodeFlow => 1,
oidcRPMetaDataOptions => {
rp => {
oidcRPMetaDataOptionsDisplayName => "RP",
oidcRPMetaDataOptionsClientID => "rpid",
oidcRPMetaDataOptionsAuthMethod => 'private_key_jwt',
oidcRPMetaDataOptionsAuthRequiredForAuthorize => 1,
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
oidcRPMetaDataOptionsIDTokenSignAlg => "RS256",
oidcRPMetaDataOptionsBypassConsent => 0,
oidcRPMetaDataOptionsUserIDAttr => "",
oidcRPMetaDataOptionsUserInfoSignAlg => 'RS256',
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
oidcRPMetaDataOptionsLogoutUrl =>
'http://auth.rp.com/oauth2/blogout',
oidcRPMetaDataOptionsLogoutType => 'back',
t/32-OIDC-strict-JWS-private_key_jwt.t view on Meta::CPAN
op => {
oidcOPMetaDataOptionsCheckJWTSignature => 1,
oidcOPMetaDataOptionsJWKSTimeout => 0,
oidcOPMetaDataOptionsScope => "openid profile",
oidcOPMetaDataOptionsStoreIDToken => 0,
oidcOPMetaDataOptionsDisplay => "",
oidcOPMetaDataOptionsClientID => "rpid",
oidcOPMetaDataOptionsConfigurationURI =>
"https://auth.op.com/.well-known/openid-configuration",
oidcOPMetaDataOptionsTokenEndpointAuthMethod =>
'private_key_jwt',
oidcOPMetaDataOptionsAuthnEndpointAuthMethod => 'jws',
}
},
oidcServicePrivateKeySig => oidc_key_op_private_sig,
oidcServicePublicKeySig => oidc_cert_op_public_sig,
oidcServiceKeyIdSig => 'aabbcc',
oidcOPMetaDataJWKS => {
op => $jwks,
},
oidcOPMetaDataJSON => {
( run in 0.270 second using v1.01-cache-2.11-cpan-4d50c553e7e )