OIDC in progress (#595)

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm

@@ -165,7 +165,7 @@ sub run {
                         'debug'
                     );
                     $oidc_request->{$_} = $request->{$_};
-                    $self->setHiddenFormValue( $_, $request->{$_}, '' );
+                    $self->p->setHiddenFormValue( $_, $request->{$_}, '' );
                 }
             }
 
@@ -268,7 +268,7 @@ sub run {
             if ($reauthentication) {
 
                 # Set prompt to 0 to avoid loop
-                $self->setHiddenFormValue( $req, 'prompt', '', '' );
+                $self->p->setHiddenFormValue( $req, 'prompt', '', '' );
 
                 # Replay authentication process
                 $self->{updateSession} = 1;
@@ -825,13 +825,15 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
             my $oidc_request = {};
             foreach my $param (qw/id_token_hint post_logout_redirect_uri state/)
             {
-                $oidc_request->{$param} = $req->param($param);
-                $self->lmLog(
-                    "OIDC request parameter $param: " . $oidc_request->{$param},
-                    'debug'
-                );
-                $self->setHiddenFormValue( $param, $oidc_request->{$param},
-                    '' );
+                if ( $oidc_request->{$param} = $req->param($param) ) {
+                    $self->lmLog(
+                        "OIDC request parameter $param: "
+                          . $oidc_request->{$param},
+                        'debug'
+                    );
+                    $self->p->setHiddenFormValue( $param,
+                        $oidc_request->{$param}, '' );
+                }
             }
 
             my $post_logout_redirect_uri =
@@ -842,7 +844,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
             if ( $req->param('confirm') ) {
                 if ( $req->param('confirm') == 1 ) {
                     my $apacheSession = $self->p->getApacheSession( $req->id );
-                    $self->p->_deleteSession($apacheSession);
+                    $self->p->_deleteSession( $req, $apacheSession );
                 }
 
                 if ($post_logout_redirect_uri) {
@@ -874,7 +876,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
 # Handle token endpoint
 sub token {
     my ( $self, $req ) = @_;
-    $req->parseBody if($req->method =~ /^post$/i);
+    $req->parseBody if ( $req->method =~ /^post$/i );
     $self->lmLog( "URL detected as an OpenID Connect TOKEN URL", 'debug' );
 
     # Check authentication
@@ -1033,7 +1035,7 @@ sub token {
 sub userInfo {
     my ( $self, $req ) = @_;
     $self->lmLog( "URL detected as an OpenID Connect USERINFO URL", 'debug' );
-    $req->parseBody if($req->method =~ /^post$/i);
+    $req->parseBody if ( $req->method =~ /^post$/i );
 
     my $access_token = $self->getEndPointAccessToken($req);
 
@@ -1090,7 +1092,7 @@ sub userInfo {
 sub jwks {
     my ( $self, $req ) = @_;
     $self->lmLog( "URL detected as an OpenID Connect JWKS URL", 'debug' );
-    $req->parseBody if($req->method =~ /^post$/i);
+    $req->parseBody if ( $req->method =~ /^post$/i );
 
     my $jwks = { keys => [] };
 
@@ -1220,7 +1222,7 @@ sub endSessionDone {
     my ( $self, $req ) = @_;
     $self->lmLog( "URL  detected as an OpenID Connect END SESSION URL",
         'debug' );
-    $req->parseBody if($req->method =~ /^post$/i);
+    $req->parseBody if ( $req->method =~ /^post$/i );
     $self->lmLog( "User is already logged out", 'debug' );
 
     my $post_logout_redirect_uri = $req->param('post_logout_redirect_uri');
@@ -1245,7 +1247,7 @@ sub checkSession {
     my ( $self, $req ) = @_;
     $self->lmLog( "URL  detected as an OpenID Connect CHECK SESSION URL",
         'debug' );
-    $req->parseBody if($req->method =~ /^post$/i);
+    $req->parseBody if ( $req->method =~ /^post$/i );
 
     my $portalPath = $self->{portal};
     $portalPath =~ s#^https?://[^/]+/?#/#;

lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO.t

@@ -146,7 +146,7 @@ SKIP: {
     # Test if logout is done
     switch ('issuer');
     ok(
-        $res = $sp->_get(
+        $res = $issuer->_get(
             '/', cookie => "lemonldap=$idpId",
         ),
         'Test if user is reject on IdP'

lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST-IdP-initiated.t

@@ -135,7 +135,7 @@ m#iframe src="http://auth.idp.com(/saml/relaySingleLogoutPOST)\?(relay=.*?)"#s,
     # Test if logout is done
     switch ('issuer');
     ok(
-        $res = $sp->_get(
+        $res = $issuer->_get(
             '/', cookie => "lemonldap=$idpId",
         ),
         'Test if user is reject on IdP'

lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-POST.t

@@ -164,7 +164,7 @@ SKIP: {
     # Test if logout is done
     switch ('issuer');
     ok(
-        $res = $sp->_get(
+        $res = $issuer->_get(
             '/', cookie => "lemonldap=$idpId",
         ),
         'Test if user is reject on IdP'

lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect-IdP-initiated.t

@@ -118,7 +118,7 @@ m#iframe src="http://auth.sp.com(/saml/proxySingleLogout)\?(SAMLRequest=.*?)"#,
     # Test if logout is done
     switch ('issuer');
     ok(
-        $res = $sp->_get(
+        $res = $issuer->_get(
             '/', cookie => "lemonldap=$idpId",
         ),
         'Test if user is reject on IdP'

lemonldap-ng-portal/t/30-Auth-and-issuer-SAML-Redirect.t

@@ -178,7 +178,7 @@ qr#^http://auth.sp.com(/saml/proxySingleLogoutReturn)\?(SAMLResponse=.+)#
     # Test if logout is done
     switch ('issuer');
     ok(
-        $res = $sp->_get(
+        $res = $issuer->_get(
             '/', cookie => "lemonldap=$idpId",
         ),
         'Test if user is reject on IdP'

lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC.t

@@ -74,7 +74,74 @@ switch ('sp');
 ok( $res = $sp->_get( '/', query => $query, accept => 'text/html' ),
     'Call openidconnectcallback on RP' );
 count(1);
-my $rpId = expectCookie($res);
+my $spId = expectCookie($res);
+
+# Logout initiated by RP
+ok(
+    $res = $sp->_get(
+        '/',
+        query  => 'logout',
+        cookie => "lemonldap=$spId",
+        accept => 'text/html'
+    ),
+    'Query SP for logout'
+);
+count(1);
+( $url, $query ) = expectRedirection( $res,
+    qr#http://auth.op.com(/oauth2/logout)\?(post_logout_redirect_uri=.+)$# );
+
+# Push logout to OP
+switch ('issuer');
+
+ok(
+    $res = $issuer->_get(
+        $url,
+        query  => $query,
+        cookie => "lemonldap=$idpId",
+        accept => 'text/html'
+    ),
+    'Push logout request to OP'
+);
+count(1);
+
+( $host, $tmp, $query ) = expectForm( $res, '#', undef, 'confirm' );
+
+ok(
+    $res = $issuer->_post(
+        $url, IO::String->new($query),
+        length => length($query),
+        cookie => "lemonldap=$idpId",
+    ),
+    'Confirm logout'
+);
+count(1);
+
+    # Test if logout is done
+    switch ('issuer');
+    ok(
+        $res = $issuer->_get(
+            '/', cookie => "lemonldap=$idpId",
+        ),
+        'Test if user is reject on IdP'
+    );
+    count(1);
+    expectReject($res);
+
+    switch ('sp');
+    ok(
+        $res = $sp->_get(
+            '/',
+            accept => 'text/html',
+            cookie =>
+              "lemonldapidp=http://auth.idp.com/saml/metadata; lemonldap=$spId"
+        ),
+        'Test if user is reject on SP'
+    );
+    count(1);
+    expectRedirection($res,qr#^http://auth.op.com/oauth2/authorize#);
+
+    #print STDERR Dumper($res);
+#print STDERR Dumper($res);
 
 clean_sessions();
 done_testing( count() );