The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.


Plack::Auth::SSO - role for Single Sign On (SSO) authentication


* SSO for Central Authentication System (CAS): Plack::Auth::SSO::CAS

* SSO for ORCID: Plack::Auth::SSO::ORCID

* SSO for Shibboleth: Plack::Auth::SSO::Shibboleth


    package MySSOAuth;

    use Moo;
    use Data::Util qw(:check);

    with "Plack::Auth::SSO";

    sub to_app {

        my $self = shift;

        sub {

            my $env = shift;
            my $request = Plack::Request->new($env);
            my $session = Plack::Session->new($env);

            #did this app already authenticate you?
            #implementation of Plack::Auth::SSO should write hash to session key,
            #configured by "session_key"
            my $auth_sso = $self->get_auth_sso($session);

            #already authenticated: what are you doing here?
            if( is_hash_ref($auth_sso) ){

                return [ 302, [ Location => $self->uri_for($self->authorization_path) ], [] ];


            #not authenticated: do your internal work

            #authentication done in external application code, but here something went wrong..
            unless ( $ok ) {

                #error is set in auth_sso_error..
                        package => __PACKAGE__,
                        package_id => $self->id,
                        type => "connection_failed",
                        content => ""

                #user is redirected to error_path
                return [ 302, [ Location => $self->uri_for($self->error_path) ], [] ];


            #everything ok: set auth_sso
                    package => __PACKAGE__,
                    package_id => $self->id,
                    response => {
                        content => "Long response from external SSO application",
                        content_type => "text/xml"
                    uid => "<uid>",
                    info => {
                        attr1 => "attr1",
                        attr2 => "attr2"
                    extra => {
                        field1 => "field1"

            #redirect to other application for authorization:
            return [ 302, [ Location => $self->uri_for($self->authorization_path) ], [] ];



    #in your app.psgi

    builder {

        mount "/auth/myssoauth" => MySSOAuth->new(

            session_key => "auth_sso",
            authorization_path => "/auth/myssoauth/callback",
            uri_base => "http://localhost:5001",
            error_path => "/auth/error"


        mount "/auth/myssoauth/callback" => sub {

            my $env = shift;
            my $session = Plack::Session->new($env);
            my $auth_sso = $session->get("auth_sso");

            #not authenticated yet

                return [ 403, ["Content-Type" => "text/html"], ["forbidden"] ];


            #process auth_sso (white list, roles ..)

            [ 200, ["Content-Type" => "text/html"], ["logged in!"] ];


        mount "/auth/error" => sub {

            my $env = shift;
            my $session = Plack::Session->new($env);
            my $auth_sso_error = $session->get("auth_sso_error");

            unless ( $auth_sso_error ) {

                return [ 302, [ Location => $self->uri_for( "/" ) ], [] ];


            [ 200, [ "Content-Type" => "text/plain" ], [




This is a Moo::Role for all Single Sign On Authentication packages. It requires to_app method, that returns a valid Plack application

An implementation is expected is to do all communication with the external SSO application (e.g. CAS). When it succeeds, it should save the response from the external service in the session, and redirect to the authorization url (see below).

The authorization route must pick up the response from the session, and log the user in.

This package requires you to use Plack Sessions.



When authentication succeeds, the implementation saves the response from the SSO application in this session key, together with extra information.

The response should look like this:

        package => "<package-name>",
        package_id => "<package-id>",
        response => {
            content => "Long response from external SSO application like CAS",
            content_type => "<mime-type>"
        uid => "<uid-in-external-app>",
        info => {
            attr1 => "attr1",
            attr2 => "attr2"
        extra => {
            field1 => "field1"

This is usefull for several reasons:

    * the authorization application can distinguish between authenticated and not authenticated users

    * it can pick up the saved response from the session

    * it can lookup a user in an internal database, matching on the provided "uid" from the external service.

    * the key "package" tells which package authenticated the user; so the application can do an appropriate lookup based on this information.

    * the key "package_id" defaults to the package name, but is configurable. This is usefull when you have several external services of the same type,
      and your application wants to distinguish between them.

    * the original response is stored as text, along with the content type.

    * other attributes stored in the hash reference "info". It is up to the implementing package whether it should only used attributes as pushed during
      the authentication step (like in CAS), or do an extra lookup.

    * "extra" should be used to store request information.
        e.g. "ORCID" gives a "token".
        e.g. "Shibboleth" supplies the "Shib-Identity-Provider".

(internal) path of the authorization route. This path will be prepended by "uri_base" to create the full url.

When authentication succeeds, this application should redirect you here


(internal) path of the error route. This path will be prepended by "uri_base" to create the full url.

When authentication fails, this application should redirect you here

If not set, it has the same value as the authorizaton_path. In that case make sure that you also

check for auth_sso_error in your authorization route.

The implementor should expect this in the session key "auth_sso_error" ( "_error" is appended to the configured session_key ):

        package => "Plack::Auth::SSO::TYPE",
        package_id => "Plack::Auth::SSO::TYPE",
        type => "my-error-type",
        content => "Something went terribly wrong!"

Error types should be documented by the implementor.

uri_for( path )

method that prepends your path with "uri_base".


identifier of the authentication module. Defaults to the package name. This is handy when using multiple SSO instances, and you need to known exactly which package authenticated the user.

This is stored in "auth_sso" as "package_id".


base url of the Plack application



logger instance. Object instance of class Log::Any::Proxy that logs messages to a category that equals your current class name.

E.g. configure your logging in log4perl.conf:

    log4perl.appender.STDERR.layout.ConversionPattern=%d %p [%P] - %c[%L] : %m%n

See Log::Any for more information


returns a Plack application

This must be implemented by subclasses


get saved SSO response from your session


save SSO response to your session

$hash should be a hash ref, and look like this:

        package => __PACKAGE__,
        package_id => __PACKAGE__ ,
        response => {
            content => "Long response from external SSO application like CAS",
            content_type => "<mime-type>",
        uid => "<uid>",
        info => {},
        extra => {}


get saved SSO error response from your session


save SSO error response to your session

$hash should be a hash ref, and look like this:

        package => __PACKAGE__,
        package_id => __PACKAGE__ ,
        type => "my-type",
        content => "my-content"


Generate unique CSRF token. Store this token in your session, and supply it as parameter to the redirect uri.


Save csrf token to the session

The token is saved in key session_key + "_csrf"


Retrieve csrf token from the session


Compare supplied token with stored token


removes additional session keys like auth_sso_error and auth_sso_csrf before redirecting to the authorization path.


See examples/app1:

    #copy example config to required location
    $ cp examples/catmandu.yml.example examples/catmandu.yml

    #edit config
    $ vim examples/catmandu.yml

    #start plack application
    plackup examples/


Nicolas Franck, <nicolas.franck at>


This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.

See for more information.


Plack::Auth::SSO::CAS, Plack::Auth::SSO::ORCID Plack::Auth::SSO::Shibboleth Log::Any