OIDC OP2RP logout in progress (#1194)

9 years ago · 7f460429e1
parent 516830c32f
commit 7f460429e1
9 changed files with 62 additions and 19 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
@ -130,8 +130,10 @@ sub defaultValues {
            'loa-5' => 5
        },
        'oidcServiceMetaDataAuthorizeURI'    => 'authorize',
+        'oidcServiceMetaDataBackChannelURI'  => 'blogout',
        'oidcServiceMetaDataCheckSessionURI' => 'checksession.html',
        'oidcServiceMetaDataEndSessionURI'   => 'logout',
+        'oidcServiceMetaDataFrontChannelURI' => 'flogout',
        'oidcServiceMetaDataIssuer'          => 'http://auth.example.com',
        'oidcServiceMetaDataJWKSURI'         => 'jwks',
        'oidcServiceMetaDataRegistrationURI' => 'register',
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
@ -60,6 +60,6 @@ our $issuerParameters = {
  issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)],
 };
 our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter)];
-our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];
+our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];

 1;
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -1750,6 +1750,10 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
            'default' => 'authorize',
            'type'    => 'text'
        },
+        'oidcServiceMetaDataBackChannelURI' => {
+            'default' => 'blogout',
+            'type'    => 'text'
+        },
        'oidcServiceMetaDataCheckSessionURI' => {
            'default' => 'checksession.html',
            'type'    => 'text'
@ -1758,6 +1762,10 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
            'default' => 'logout',
            'type'    => 'text'
        },
+        'oidcServiceMetaDataFrontChannelURI' => {
+            'default' => 'flogout',
+            'type'    => 'text'
+        },
        'oidcServiceMetaDataIssuer' => {
            'default' => 'http://auth.example.com',
            'type'    => 'text'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -2367,6 +2367,16 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
            default       => 'checksession.html',
            documentation => 'OpenID Connect check session iframe',
        },
+        oidcServiceMetaDataBackChannelURI => {
+            type          => 'text',
+            default       => 'blogout',
+            documentation => 'OpenID Connect Front-Channel logout endpoint',
+        },
+        oidcServiceMetaDataFrontChannelURI => {
+            type          => 'text',
+            default       => 'flogout',
+            documentation => 'OpenID Connect Front-Channel logout endpoint',
+        },
        oidcServiceMetaDataAuthnContext => {
            type    => 'keyTextContainer',
            keyTest => qr/\w/,
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -855,6 +855,8 @@ sub tree {
                        'oidcServiceMetaDataRegistrationURI',
                        'oidcServiceMetaDataEndSessionURI',
                        'oidcServiceMetaDataCheckSessionURI',
+                        'oidcServiceMetaDataFrontChannelURI',
+                        'oidcServiceMetaDataBackChannelURI',
                    ]
                },
                'oidcServiceMetaDataAuthnContext',
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
@ -3,6 +3,7 @@ package Lemonldap::NG::Portal::Issuer::OpenIDConnect;
 use strict;
 use JSON;
 use Mouse;
+use Lemonldap::NG::Common::FormEncode;
 use Lemonldap::NG::Portal::Main::Constants qw(
  PE_BADURL
  PE_CONFIRM
@ -1230,10 +1231,25 @@ sub logout {
        my @rps = grep /\w/, split( ',', $s );
        foreach my $rp (@rps) {
            my $rpConf = $self->conf->{oidcRPMetaDataOptions}->{$rp};
+            unless ($rpConf) {
+                $self->logger->error("Unknown RP $rp");
+                return PE_ERROR;
+            }
            if ( my $url = $rpConf->{oidcRPMetaDataOptionsLogoutUrl} ) {
                if ( $rpConf->{oidcRPMetaDataOptionsLogoutType} eq 'front' ) {
-
-                 # TODO: sid + iss if oidcRPMetaDataOptionsLogoutSessionRequired
+                    if ( $rpConf->{oidcRPMetaDataOptionsLogoutSessionRequired} )
+                    {
+                        my $user_id_attribute =
+                          $self->conf->{oidcRPMetaDataOptions}->{$rp}
+                          ->{oidcRPMetaDataOptionsUserIDAttr}
+                          || $self->conf->{whatToTrace};
+                        my $user_id = $req->{sessionInfo}->{$user_id_attribute};
+                        $url .= ( $urm =~ /\?/ ? '&' : '?' )
+                          . build_urlencoded(
+                            iss => $self->conf->{oidcServiceMetaDataIssuer},
+                            sid => $user_id
+                          );
+                    }
                    $req->info( qq'<iframe src="$url" class="noborder">'
                          . '</iframe>' );
                }
@ -1248,20 +1264,6 @@ sub logout {

 # Internal methods

-sub addRouteFromConf {
-    my ( $self, $type, %subs ) = @_;
-    my $adder = "add${type}Route";
-    foreach ( keys %subs ) {
-        my $sub  = $subs{$_};
-        my $path = $self->conf->{$_};
-        unless ($path) {
-            $self->logger->error("$_ parameter not defined");
-            next;
-        }
-        $self->$adder( $self->path => { $path => $sub }, [ 'GET', 'POST' ] );
-    }
-}
-
 sub metadata {
    my ( $self, $req ) = @_;
    my $issuerDBOpenIDConnectPath = $self->conf->{issuerDBOpenIDConnectPath};
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
@ -1372,6 +1372,20 @@ sub decode_base64url {
    return decode_base64($s);
 }

+sub addRouteFromConf {
+    my ( $self, $type, %subs ) = @_;
+    my $adder = "add${type}Route";
+    foreach ( keys %subs ) {
+        my $sub  = $subs{$_};
+        my $path = $self->conf->{$_};
+        unless ($path) {
+            $self->logger->error("$_ parameter not defined");
+            next;
+        }
+        $self->$adder( $self->path => { $path => $sub }, [ 'GET', 'POST' ] );
+    }
+}
+
 1;

 __END__
@ -1525,6 +1539,11 @@ Build Logout Request URI

 Build Logout Response URI 

+=head2 addRouteFromConf
+
+Build a Lemonldap::NG::Common::PSGI::Router route from OIDC configuration
+attribute
+
 =head1 SEE ALSO

 L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>