line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package CatalystX::OAuth2; |
2
|
8
|
|
|
8
|
|
4892
|
use Moose::Role; |
|
8
|
|
|
|
|
20
|
|
|
8
|
|
|
|
|
62
|
|
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
# ABSTRACT: OAuth2 services for Catalyst |
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
requires '_build_query_parameters'; |
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
# spec isn't clear re missing endpoint uris |
10
|
|
|
|
|
|
|
has redirect_uri => ( is => 'ro', required => 0 ); |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
has store => ( |
13
|
|
|
|
|
|
|
is => 'rw', |
14
|
|
|
|
|
|
|
does => 'CatalystX::OAuth2::Store', |
15
|
|
|
|
|
|
|
init_arg => undef, |
16
|
|
|
|
|
|
|
predicate => 'has_store' |
17
|
|
|
|
|
|
|
); |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
has query_parameters => ( is => 'rw', init_arg => undef, lazy_build => 1 ); |
20
|
|
|
|
|
|
|
|
21
|
27
|
|
|
27
|
|
233
|
sub _params {qw(response_type redirect_uri scope state client_id)} |
22
|
|
|
|
|
|
|
|
23
|
|
|
|
|
|
|
sub BUILD { |
24
|
27
|
|
|
27
|
0
|
46410
|
my ( $self, $args ) = @_; |
25
|
27
|
|
|
|
|
170
|
delete @{$args}{ $self->_params() }; |
|
27
|
|
|
|
|
146
|
|
26
|
27
|
100
|
|
|
|
229
|
if ( my @extra = keys %$args ) { |
27
|
3
|
|
|
|
|
170
|
$self->query_parameters( |
28
|
|
|
|
|
|
|
{ error => 'invalid_request', |
29
|
|
|
|
|
|
|
error_description => 'unrecognized parameters: ' |
30
|
|
|
|
|
|
|
. join( ', ', @extra ) |
31
|
|
|
|
|
|
|
} |
32
|
|
|
|
|
|
|
); |
33
|
|
|
|
|
|
|
} |
34
|
|
|
|
|
|
|
} |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
1; |
38
|
|
|
|
|
|
|
|
39
|
|
|
|
|
|
|
__END__ |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
=pod |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
=head1 NAME |
44
|
|
|
|
|
|
|
|
45
|
|
|
|
|
|
|
CatalystX::OAuth2 - OAuth2 services for Catalyst |
46
|
|
|
|
|
|
|
|
47
|
|
|
|
|
|
|
=head1 VERSION |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
version 0.001007 |
50
|
|
|
|
|
|
|
|
51
|
|
|
|
|
|
|
=head1 SYNOPSIS |
52
|
|
|
|
|
|
|
|
53
|
|
|
|
|
|
|
package AuthServer::Controller::OAuth2::Provider; |
54
|
|
|
|
|
|
|
use Moose; |
55
|
|
|
|
|
|
|
BEGIN { extends 'Catalyst::Controller::ActionRole' } |
56
|
|
|
|
|
|
|
|
57
|
|
|
|
|
|
|
with 'CatalystX::OAuth2::Controller::Role::Provider'; |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
__PACKAGE__->config( |
60
|
|
|
|
|
|
|
store => { |
61
|
|
|
|
|
|
|
class => 'DBIC', |
62
|
|
|
|
|
|
|
client_model => 'DB::Client' |
63
|
|
|
|
|
|
|
} |
64
|
|
|
|
|
|
|
); |
65
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
sub request : Chained('/') Args(0) Does('OAuth2::RequestAuth') {} |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
sub grant : Chained('/') Args(0) Does('OAuth2::GrantAuth') { |
69
|
|
|
|
|
|
|
my ( $self, $c ) = @_; |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
my $oauth2 = $c->req->oauth2; |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
$c->user_exists and $oauth2->user_is_valid(1) |
74
|
|
|
|
|
|
|
or $c->detach('/passthrulogin'); |
75
|
|
|
|
|
|
|
} |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
sub token : Chained('/') Args(0) Does('OAuth2::AuthToken::ViaAuthGrant') {} |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
sub refresh : Chained('/') Args(0) Does('OAuth2::AuthToken::ViaRefreshToken') {} |
80
|
|
|
|
|
|
|
|
81
|
|
|
|
|
|
|
1; |
82
|
|
|
|
|
|
|
|
83
|
|
|
|
|
|
|
=head1 DESCRIPTION |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
This module implements the authorization grant subset of the L<oauth 2 ietf |
86
|
|
|
|
|
|
|
spec draft|http://tools.ietf.org/html/draft-ietf-oauth-v2-23>. Action roles |
87
|
|
|
|
|
|
|
containing an implementation of each required endpoint in the specification |
88
|
|
|
|
|
|
|
are provided and should be applied to a L<Catalyst::Controller::ActionRole>. |
89
|
|
|
|
|
|
|
The authorization grant flow is defined by the specification as follows: |
90
|
|
|
|
|
|
|
|
91
|
|
|
|
|
|
|
+--------+ +---------------+ |
92
|
|
|
|
|
|
|
| |--(A)------- Authorization Grant --------->| | |
93
|
|
|
|
|
|
|
| | | | |
94
|
|
|
|
|
|
|
| |<-(B)----------- Access Token -------------| | |
95
|
|
|
|
|
|
|
| | & Refresh Token | | |
96
|
|
|
|
|
|
|
| | | | |
97
|
|
|
|
|
|
|
| | +----------+ | | |
98
|
|
|
|
|
|
|
| |--(C)---- Access Token ---->| | | | |
99
|
|
|
|
|
|
|
| | | | | | |
100
|
|
|
|
|
|
|
| |<-(D)- Protected Resource --| Resource | | Authorization | |
101
|
|
|
|
|
|
|
| Client | | Server | | Server | |
102
|
|
|
|
|
|
|
| |--(E)---- Access Token ---->| | | | |
103
|
|
|
|
|
|
|
| | | | | | |
104
|
|
|
|
|
|
|
| |<-(F)- Invalid Token Error -| | | | |
105
|
|
|
|
|
|
|
| | +----------+ | | |
106
|
|
|
|
|
|
|
| | | | |
107
|
|
|
|
|
|
|
| |--(G)----------- Refresh Token ----------->| | |
108
|
|
|
|
|
|
|
| | | | |
109
|
|
|
|
|
|
|
| |<-(H)----------- Access Token -------------| | |
110
|
|
|
|
|
|
|
+--------+ & Optional Refresh Token +---------------+ |
111
|
|
|
|
|
|
|
|
112
|
|
|
|
|
|
|
The action roles should be applied to actions in a single controller, and no |
113
|
|
|
|
|
|
|
more than one action of each role type should be present. |
114
|
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
Here is an overview of what roles are involved in each of those phases: |
116
|
|
|
|
|
|
|
|
117
|
|
|
|
|
|
|
=over |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
=item A - L<Catalyst::ActionRole::OAuth2::RequestAuth> |
120
|
|
|
|
|
|
|
|
121
|
|
|
|
|
|
|
Required |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
This is the action where the authentication grant flow begins, it validades |
124
|
|
|
|
|
|
|
and sanitizes the request parameters and generates an authorization code which |
125
|
|
|
|
|
|
|
is used for issuing a valid request to the GrantAuth action via a redirect. |
126
|
|
|
|
|
|
|
The authorization code is only generated if all parameters are well-formed and |
127
|
|
|
|
|
|
|
valid, this ensures that requests to the GrantAuth action can trust the |
128
|
|
|
|
|
|
|
request parameters if a valid authorization code is presented. |
129
|
|
|
|
|
|
|
|
130
|
|
|
|
|
|
|
=item B - L<Catalyst::ActionRole::OAuth2::GrantAuth> |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
Required |
133
|
|
|
|
|
|
|
|
134
|
|
|
|
|
|
|
This action checks the request parameters for a valid authorization code, |
135
|
|
|
|
|
|
|
which should have been generated by a previous request to a RequestAuth |
136
|
|
|
|
|
|
|
action. This action should be customized to somehow confirm with the end-user |
137
|
|
|
|
|
|
|
if he wishes to effectively grant the authorization to the requesting |
138
|
|
|
|
|
|
|
client/app. The user-agent is redirected automatically to the correct endpoint |
139
|
|
|
|
|
|
|
if the authorization is granted. |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
=item C and D - L<Catalyst::ActionRole::OAuth2::AuthToken::ViaAuthGrant> |
142
|
|
|
|
|
|
|
|
143
|
|
|
|
|
|
|
Required |
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
This action exchanges a valid authorization grant code and responds with an |
146
|
|
|
|
|
|
|
authorization token. |
147
|
|
|
|
|
|
|
|
148
|
|
|
|
|
|
|
=item G and H - L<Catalyst::ActionRole::OAuth2::AuthToken::ViaRefreshToken> |
149
|
|
|
|
|
|
|
|
150
|
|
|
|
|
|
|
Optional |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
This action exchanges a valid refresh token for a new access token and refresh |
153
|
|
|
|
|
|
|
token. |
154
|
|
|
|
|
|
|
|
155
|
|
|
|
|
|
|
=back |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
=head1 CONFIGURATION |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
=head2 store |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
Takes a hashref containing two keys: |
162
|
|
|
|
|
|
|
|
163
|
|
|
|
|
|
|
=over |
164
|
|
|
|
|
|
|
|
165
|
|
|
|
|
|
|
=item class |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
The store type to use, so far, only DBIC support is provided |
168
|
|
|
|
|
|
|
|
169
|
|
|
|
|
|
|
=item client_model |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
The entity representing the client in your schema |
172
|
|
|
|
|
|
|
|
173
|
|
|
|
|
|
|
=back |
174
|
|
|
|
|
|
|
|
175
|
|
|
|
|
|
|
=head1 SPONSORSHIP |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
This module exists due to the wonderful people at Suretec Systems Ltd. |
178
|
|
|
|
|
|
|
<http://www.suretecsystems.com/> who sponsored its development for its |
179
|
|
|
|
|
|
|
VoIP division called SureVoIP <http://www.surevoip.co.uk/> for use with |
180
|
|
|
|
|
|
|
the SureVoIP API - |
181
|
|
|
|
|
|
|
<http://www.surevoip.co.uk/support/wiki/api_documentation> |
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
=head1 AUTHOR |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
Eden Cardim <edencardim@gmail.com> |
186
|
|
|
|
|
|
|
|
187
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE |
188
|
|
|
|
|
|
|
|
189
|
|
|
|
|
|
|
This software is copyright (c) 2017 by Suretec Systems Ltd. |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
This is free software; you can redistribute it and/or modify it under |
192
|
|
|
|
|
|
|
the same terms as the Perl 5 programming language system itself. |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
=cut |