1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
package Lemonldap::NG::Handler::Lib::OAuth2;
use Lemonldap::NG::Common::JWT qw(getAccessTokenSessionId);
use strict;
our $VERSION = '2.19.0';
sub retrieveSession {
my ( $class, $req, $id ) = @_;
my ($offlineId) = $id =~ /^O-(.*)/;
# Retrieve regular session if this is not an offline access token
unless ($offlineId) {
my $data =
$class->Lemonldap::NG::Handler::Main::retrieveSession( $req, $id );
if ( ref($data) eq "HASH" ) {
$data = { %{$data}, $class->_getTokenAttributes($req) };
# Update cache
$class->data($data);
}
else {
$req->data->{oauth2_error} = 'invalid_token';
}
return $data;
}
# 2. Get the session from cache or backend
my $session = $req->data->{session} = (
Lemonldap::NG::Common::Session->new( {
hashStore => $class->tsv->{hashedSessionStore},
storageModule => $class->tsv->{oidcStorageModule},
storageModuleOptions => $class->tsv->{oidcStorageOptions},
cacheModule => $class->tsv->{sessionCacheModule},
cacheModuleOptions => $class->tsv->{sessionCacheOptions},
id => $offlineId,
kind => "OIDCI",
}
)
);
unless ( $session->error ) {
my $data = { %{ $session->data }, $class->_getTokenAttributes($req) };
$class->data($data);
$class->logger->debug("Get session $offlineId from Handler::Main::Run");
# Verify that session is valid
$class->logger->error(
"_utime is not defined. This should not happen. Check if it is well transmitted to handler"
) unless $session->data->{_utime};
my $ttl = $class->tsv->{timeout} - time + $session->data->{_utime};
$class->logger->debug( "Session TTL = " . $ttl );
if ( time - $session->data->{_utime} > $class->tsv->{timeout} ) {
$class->logger->info("Session $id expired");
# Clean cached data
$class->data( {} );
return 0;
}
return $data;
}
else {
$class->logger->info("Session $offlineId can not be retrieved");
$class->logger->info( $session->error );
return 0;
}
}
sub fetchId {
my ( $class, $req ) = @_;
my $access_token;
my $authorization = $req->{env}->{HTTP_AUTHORIZATION};
if ( $authorization
and ( $access_token = ( $authorization =~ /^Bearer (.+)$/i )[0] ) )
{
$class->logger->debug("Found OAuth2 Access Token ($access_token)");
}
else {
return $class->Lemonldap::NG::Handler::Main::fetchId($req);
}
# Get access token session
my $access_token_sid = getAccessTokenSessionId($access_token);
unless ($access_token_sid) {
$req->data->{oauth2_error} = 'invalid_token';
return;
}
my $infos = $class->getOIDCInfos($access_token_sid);
unless ($infos) {
$req->data->{oauth2_error} = 'invalid_token';
return;
}
# Store scope and rpid for future session attributes
if ( $infos->{rp} ) {
my $rp = $infos->{rp};
$req->data->{_scope} = $infos->{scope};
$req->data->{_oidc_grant_type} = $infos->{grant_type};
$req->data->{_clientConfKey} = $rp;
if ( $class->tsv->{oauth2Options}->{$rp}
and $class->tsv->{oauth2Options}->{$rp}->{clientId} )
{
$req->data->{_clientId} =
$class->tsv->{oauth2Options}->{$rp}->{clientId};
}
}
# If this token is tied to a regular session ID
if ( my $_session_id = $infos->{user_session_id} ) {
$class->logger->debug( 'Get user session id ' . $_session_id );
return $_session_id;
}
# If this token is tied to an Offline session
if ( my $_session_id = $infos->{offline_session_id} ) {
$class->logger->debug( 'Get offline session id ' . $_session_id );
return "O-$_session_id";
}
my $value = $class->Lemonldap::NG::Handler::Main::fetchId($req);
unless ($value) {
$req->data->{oauth2_error} = 'invalid_token';
}
return $value;
}
## @rmethod protected hash getOIDCInfos(id)
# Tries to retrieve the OIDC session, get infos
# @return OIDC session infos
sub getOIDCInfos {
my ( $class, $id ) = @_;
my $infos = {};
# Get the session
my $oidcSession = Lemonldap::NG::Common::Session->new( {
hashStore => $class->tsv->{hashedSessionStore},
storageModule => $class->tsv->{oidcStorageModule},
storageModuleOptions => $class->tsv->{oidcStorageOptions},
cacheModule => $class->tsv->{sessionCacheModule},
cacheModuleOptions => $class->tsv->{sessionCacheOptions},
id => $id,
kind => "OIDCI",
}
);
unless ( $oidcSession->error ) {
$class->logger->debug("Get OIDC session $id");
# Verify that session is valid
unless ( $oidcSession->data->{_utime} ) {
$class->logger->error("_utime missing from Access Token session");
return;
}
my $ttl = $class->tsv->{timeout} - time + $oidcSession->data->{_utime};
$class->logger->debug("Session TTL = $ttl");
if ( time - $oidcSession->data->{_utime} > $class->tsv->{timeout} ) {
$class->logger->info("Access Token session $id expired");
return;
}
$infos = { %{ $oidcSession->data } };
}
else {
$class->logger->info("OIDC session $id can not be retrieved");
$class->logger->info( $oidcSession->error );
}
return $infos;
}
## The OAuth2 handler does not redirect, we simply return a 401 with relevant
# information as described in https://tools.ietf.org/html/rfc6750#section-3
sub goToPortal {
my ( $class, $req, $url, $arg, $path ) = @_;
my $oauth2_error = '';
if ( $req->data->{oauth2_error} ) {
$oauth2_error = ' error="' . $req->data->{oauth2_error} . '"';
}
$class->set_header_out( $req,
'WWW-Authenticate' => "Bearer" . $oauth2_error );
return $class->HTTP_UNAUTHORIZED;
}
sub _getTokenAttributes {
my ( $class, $req ) = @_;
my %res;
for my $attr (qw/_scope _clientConfKey _clientId _oidc_grant_type/) {
if ( $req->data->{$attr} ) {
$res{$attr} = $req->data->{$attr};
}
}
return %res;
}
1;
|
