Provided by: libwebauth-perl_4.7.0-6build2_amd64 bug

NAME

       WebAuth::Token - Generic WebAuth token handling

SYNOPSIS

           use WebAuth;

           my $wa = WebAuth->new;
           eval {
               $token = WebAuth->token_decode ($wa, $data, $keyring);
               print ref ($token), " received\n";
               print "Encoded: ", $token->encode, "\n";
           };
           if ($@) {
               # handle exception
           }

DESCRIPTION

       WebAuth::Token is the parent class for all WebAuth token objects.  Other than when
       creating a new token by decoding an encrypted token, this class will never be used
       directly.  Instead, it is the base class for all other WebAuth::Token::* classes, each of
       which represents a specific type of protocol token.

       The following token classes are currently supported:

       WebAuth::Token::App
           Used by a WebAuth Application Server to store data, such as the identity of an
           authenticated user or the session key for that identity information.

       WebAuth::Token::Cred
           Holds a credential for some other service, usually a Kerberos service ticket.  It is
           sent back by the WebKDC to a WebAuth Application Server when requested using a proxy
           token, and the WAS also uses it to store the credentials in cookies.

       WebAuth::Token::Error
           Returned by the WebKDC in response to a request token if some error occurred in
           processing that request.

       WebAuth::Token::Id
           Identifies a user to a WebAuth Authentication Server.  This token is sent from the
           WebKDC to the WAS following a user authentication to communicate the authentication
           information.

       WebAuth::Token::Login
           Used to communicate the user's username and password or other authentication secret
           from the WebLogin server to the WebKDC.

       WebAuth::Token::Proxy
           Used by a WebAuth Application Server to request other tokens from the WebKDC.  This is
           returned by the WebKDC to a WebAuth Application Server if the WAS may need to request
           various tokens (particularly credential tokens).

       WebAuth::Token::Request
           Sent by the WebAuth Application Server to the WebKDC to initiate a request.

           This token has two forms.  The first is sent by the WAS to the WebKDC via a redirect
           to request either an id or a proxy token for the user, depending on whether the WAS
           will need credentials.  The second is sent to the WebKDC as part of a request for a
           service token and contains only the command and creation time.

       WebAuth::Token::WebKDCProxy
           Stores user credentials or authentication information for later use by the WebKDC.
           This is the token that's stored as a single sign-on cookie in the user's browser,
           allowing the user to authenticate to subsequent web sites without reauthenticating.
           This token is also returned inside a proxy token to a WAS, which can then present it
           back to the WebKDC to obtain id or cred tokens.

       WebAuth::Token::WebKDCService
           Sent by the WebKDC to a WAS and returned by the WAS to the WebKDC as part of the
           request token.  The purpose of this token is to store the session key used for
           encrypting the request token and its responses.  It's encrypted in the WebKDC's long-
           term key, and is therefore used by the WebKDC to recover the session key without
           having local state.

       Each of these tokens have different data elements and therefore different accessor
       functions, and each has its own separate documentation.  See that individual documentation
       for the available operations on each type of token.

CLASS METHODS

       As with WebAuth module functions, failures are signaled by throwing WebAuth::Exception
       rather than by return status.

       new (WEBAUTH, TOKEN, KEYRING)
           Given an encrypted and base64-encoded TOKEN, decode and decrypt it using the provided
           WebAuth::Keyring object.  The return value will be a subclass of WebAuth::Token as
           described above in "DESCRIPTION".

           Callers will normally want to check via isa() whether the returned token is of the
           type that the caller expected.  Not performing that check can lead to security issues.

           This is a convenience wrapper around the WebAuth token_decode() method.

       The subclasses of WebAuth::Token also have a traditional new() constructor to create a
       new, empty token of that type.

AUTHOR

       Russ Allbery <eagle@eyrie.org>

SEE ALSO

       WebAuth(3), WebAuth::Keyring(3), WebAuth::Token::App(3), WebAuth::Token::Cred(3),
       WebAuth::Token::Error(3), WebAuth::Token::Id(3), WebAuth::Token::Login(3),
       WebAuth::Token::Proxy(3), WebAuth::Token::Request(3), WebAuth::Token::WebKDCProxy(3),
       WebAuth::Token::WebKDCService(3)

       This module is part of WebAuth.  The current version is available from
       <http://webauth.stanford.edu/>.