NAME
Lemonldap::NG::Portal::Lib::OIDCTokenExchange - Base class for building OpenID Connect token exchange systems.
SYNOPSIS
use Mouse
extends 'Lemonldap::NG::Portal::Lib::OIDCTokenExchange';
sub validateAudience {
my ( $self, $req, $rp, $target, $requestedTokenType ) = @_;
#
# verify and update if needed:
# * $target->{audience}
# * $target->{rp}
#
return 1;
}
sub getUid {
my ( $self, $req, $rp, $subjectToken, $subjectTokenType ) = @_;
#
# verify subjectToken
#
return 1;
}
DESCRIPTION
When Lemonldap::NG detects a Oauth2 token exchange request, it searches for a plugin able to respond. If no one returns a valid response, it rejects the requests.
Lemonldap::NG::Portal::Lib::OIDCTokenExchange permits one to build such plugin by just writing two methods. Of course you need then to load the module for example using Enabling custom plugin.
Methods to write
validateAudience
The goal of validateAudience()
is to validate the requested audience.
If a non-null value is returned, then the request is accepted and Lemonldap::NG will build new access_token
, id_token
and refresh_token
using the values included into $target
hash.
If a null value is returned, Lemonldap::NG will try the next plugin.
Parameters:
$req, the Lemonldap::NG::Portal::Main::Request object
$rp, the internal LLNG name of the Relying Party which pushed the request
$target, a hash value with 2 keys:
audience, the requested audience
rp: if Lemonldap::NG found a known Relying Party which Client-ID matches with requested audience, its name is put here, else this value is undefined.
This value can be modified inside
validateAudience
and will be used to generate the newaccess_token
.$requestedTokenType, the type of the requested token. This value is always one of:
access_token
refresh_token
id_token
saml1
saml2
undef
getUid
getUid()
is a boolean method to validate the token given in the request.
If a non-null value is returned, then the request is accepted. Else Lemonldap::NG will try the next plugin.
Parameters:
$req, the Lemonldap::NG::Portal::Main::Request object
$rp, the internal LLNG name of the Relying Party which pushed the request
$subjectToken, the token given in the request
$subjectTokenType, the type of the given token. This value is always one of:
access_token
refresh_token
id_token
saml1
saml2
undef
AUTHORS
LemonLDAP::NG team http://lemonldap-ng.org/team
BUG REPORT
Use OW2 system to report bug or ask for features: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
DOWNLOAD
Lemonldap::NG is available at https://lemonldap-ng.org/download
COPYRIGHT AND LICENSE
See COPYING file for details.
This library is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.