logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

Lemonldap::NG::Portal::Lib::OIDCTokenExchange - Base class for building OpenID Connect token exchange

Authors

       •   LemonLDAP::NG team <http://lemonldap-ng.org/team>

Bug Report

       Use        OW2        system       to       report       bug       or       ask       for       features:
       <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>

Description

       When Lemonldap::NG <https://lemonldap-ng.org> detects a Oauth2 token exchange
       <https://datatracker.ietf.org/doc/html/rfc8693> request, it searches for a plugin able to respond. If no
       one returns a valid response, it rejects the requests.

       Lemonldap::NG::Portal::Lib::OIDCTokenExchange permits one to build such plugin by just writing two
       methods. Of course you need then to load the module for example using Enabling custom plugin
       <https://lemonldap-ng.org/documentation/latest/plugincustom.html#enabling-your-plugin>.

   MethodstowritevalidateAudience

       The goal of validateAudience() is to validate the requested audience.

       If a non-null value is returned, then the request is accepted and Lemonldap::NG will build new
       "access_token", "id_token" and "refresh_token" using the values included into $target hash.

       If a null value is returned, Lemonldap::NG will try the next plugin.

       Parameters:

       •   $req, the Lemonldap::NG::Portal::Main::Request object

       •   $rp, the internal LLNG name of the Relying Party which pushed the request

       •   $target, a hash value with 2 keys:

           •   audience, the requested audience

           •   rp: if Lemonldap::NG found a known Relying Party which Client-ID matches with requested audience,
               its name is put here, else this value is undefined.

           This  value  can  be  modified  inside  "validateAudience"  and  will  be  used  to  generate the new
           "access_token".

       •   $requestedTokenType, the type of the requested token. This value is always one of:

           •   access_tokenrefresh_tokenid_tokensaml1saml2undefgetUid

       getUid() is a boolean method to validate the token given in the request.

       If a non-null value is returned, then the request is accepted.  Else  Lemonldap::NG  will  try  the  next
       plugin.

       Parameters:

       •   $req, the Lemonldap::NG::Portal::Main::Request object

       •   $rp, the internal LLNG name of the Relying Party which pushed the request

       •   $subjectToken, the token given in the request

       •   $subjectTokenType, the type of the given token. This value is always one of:

           •   access_tokenrefresh_tokenid_tokensaml1saml2undef

Download

       Lemonldap::NG is available at <https://lemonldap-ng.org/download>

Name

       Lemonldap::NG::Portal::Lib::OIDCTokenExchange - Base class for building OpenID Connect token exchange
       systems.

Synopsis

         use Mouse
         extends 'Lemonldap::NG::Portal::Lib::OIDCTokenExchange';

         sub validateAudience {
           my ( $self, $req, $rp, $target, $requestedTokenType ) = @_;
           #
           # verify and update if needed:
           # * $target->{audience}
           # * $target->{rp}
           #
           return 1;
         }

         sub getUid {
           my ( $self, $req, $rp, $subjectToken, $subjectTokenType ) = @_;
           #
           # verify subjectToken
           #
           return 1;
         }

See Also