plucky (3) Lemonldap::NG::Portal::Lib::OIDCTokenExchange.3pm.gz
NAME
Lemonldap::NG::Portal::Lib::OIDCTokenExchange - Base class for building OpenID Connect token exchange
systems.
SYNOPSIS
use Mouse
extends 'Lemonldap::NG::Portal::Lib::OIDCTokenExchange';
sub validateAudience {
my ( $self, $req, $rp, $target, $requestedTokenType ) = @_;
#
# verify and update if needed:
# * $target->{audience}
# * $target->{rp}
#
return 1;
}
sub getUid {
my ( $self, $req, $rp, $subjectToken, $subjectTokenType ) = @_;
#
# verify subjectToken
#
return 1;
}
DESCRIPTION
When Lemonldap::NG <https://lemonldap-ng.org> detects a Oauth2 token exchange
<https://datatracker.ietf.org/doc/html/rfc8693> request, it searches for a plugin able to respond. If no
one returns a valid response, it rejects the requests.
Lemonldap::NG::Portal::Lib::OIDCTokenExchange permits one to build such plugin by just writing two
methods. Of course you need then to load the module for example using Enabling custom plugin
<https://lemonldap-ng.org/documentation/latest/plugincustom.html#enabling-your-plugin>.
Methods to write
validateAudience
The goal of validateAudience() is to validate the requested audience.
If a non-null value is returned, then the request is accepted and Lemonldap::NG will build new
"access_token", "id_token" and "refresh_token" using the values included into $target hash.
If a null value is returned, Lemonldap::NG will try the next plugin.
Parameters:
• $req, the Lemonldap::NG::Portal::Main::Request object
• $rp, the internal LLNG name of the Relying Party which pushed the request
• $target, a hash value with 2 keys:
• audience, the requested audience
• rp: if Lemonldap::NG found a known Relying Party which Client-ID matches with requested audience,
its name is put here, else this value is undefined.
This value can be modified inside "validateAudience" and will be used to generate the new
"access_token".
• $requestedTokenType, the type of the requested token. This value is always one of:
• access_token
• refresh_token
• id_token
• saml1
• saml2
• undef
getUid
getUid() is a boolean method to validate the token given in the request.
If a non-null value is returned, then the request is accepted. Else Lemonldap::NG will try the next
plugin.
Parameters:
• $req, the Lemonldap::NG::Portal::Main::Request object
• $rp, the internal LLNG name of the Relying Party which pushed the request
• $subjectToken, the token given in the request
• $subjectTokenType, the type of the given token. This value is always one of:
• access_token
• refresh_token
• id_token
• saml1
• saml2
• undef
AUTHORS
• LemonLDAP::NG team <http://lemonldap-ng.org/team>
BUG REPORT
Use OW2 system to report bug or ask for features:
<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
DOWNLOAD
Lemonldap::NG is available at <https://lemonldap-ng.org/download>
COPYRIGHT AND LICENSE
See COPYING file for details.
This library is free software; you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation; either version 2, or (at your
option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see
<http://www.gnu.org/licenses/>.