line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Net::OAuth2::AuthorizationServer::ImplicitGrant; |
2
|
|
|
|
|
|
|
|
3
|
|
|
|
|
|
|
=head1 NAME |
4
|
|
|
|
|
|
|
|
5
|
|
|
|
|
|
|
Net::OAuth2::AuthorizationServer::ImplicitGrant - OAuth2 Resource Owner Implicit Grant |
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
You "SHOULD NOT" use this grant type (see L) |
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
=head1 SYNOPSIS |
10
|
|
|
|
|
|
|
|
11
|
|
|
|
|
|
|
my $Grant = Net::OAuth2::AuthorizationServer::ImplicitGrant->new( |
12
|
|
|
|
|
|
|
clients => { |
13
|
|
|
|
|
|
|
TrendyNewService => { |
14
|
|
|
|
|
|
|
# optional |
15
|
|
|
|
|
|
|
redirect_uri => 'https://...', |
16
|
|
|
|
|
|
|
# optional |
17
|
|
|
|
|
|
|
scopes => { |
18
|
|
|
|
|
|
|
post_images => 1, |
19
|
|
|
|
|
|
|
annoy_friends => 1, |
20
|
|
|
|
|
|
|
}, |
21
|
|
|
|
|
|
|
}, |
22
|
|
|
|
|
|
|
} |
23
|
|
|
|
|
|
|
); |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
# verify a client against known clients |
26
|
|
|
|
|
|
|
my ( $is_valid,$error,$scopes ) = $Grant->verify_client( |
27
|
|
|
|
|
|
|
client_id => $client_id, |
28
|
|
|
|
|
|
|
redirect_uri => $uri, # optional |
29
|
|
|
|
|
|
|
scopes => [ qw/ list of scopes / ], # optional |
30
|
|
|
|
|
|
|
); |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
if ( ! $Grant->login_resource_owner ) { |
33
|
|
|
|
|
|
|
# resource owner needs to login |
34
|
|
|
|
|
|
|
... |
35
|
|
|
|
|
|
|
} |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
# have resource owner confirm (and perhaps modify) scopes |
38
|
|
|
|
|
|
|
my ( $confirmed,$error,$scopes_ref ) = $Grant->confirm_by_resource_owner( |
39
|
|
|
|
|
|
|
client_id => $client_id, |
40
|
|
|
|
|
|
|
scopes => [ qw/ list of scopes / ], |
41
|
|
|
|
|
|
|
); |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
# generate a token |
44
|
|
|
|
|
|
|
my $token = $Grant->token( |
45
|
|
|
|
|
|
|
client_id => $client_id, |
46
|
|
|
|
|
|
|
scopes => $scopes_ref, |
47
|
|
|
|
|
|
|
redirect_uri => $redirect_uri, |
48
|
|
|
|
|
|
|
user_id => $user_id, # optional |
49
|
|
|
|
|
|
|
jwt_claims_cb => sub { ... }, # optional, see jwt_claims_cb in Manual |
50
|
|
|
|
|
|
|
); |
51
|
|
|
|
|
|
|
|
52
|
|
|
|
|
|
|
# store access token |
53
|
|
|
|
|
|
|
$Grant->store_access_token( |
54
|
|
|
|
|
|
|
client_id => $client, |
55
|
|
|
|
|
|
|
access_token => $access_token, |
56
|
|
|
|
|
|
|
scopes => $scopes_ref, |
57
|
|
|
|
|
|
|
); |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
# verify an access token |
60
|
|
|
|
|
|
|
my ( $is_valid,$error ) = $Grant->verify_access_token( |
61
|
|
|
|
|
|
|
access_token => $access_token, |
62
|
|
|
|
|
|
|
scopes => $scopes_ref, |
63
|
|
|
|
|
|
|
); |
64
|
|
|
|
|
|
|
|
65
|
|
|
|
|
|
|
=head1 DESCRIPTION |
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
This module implements the OAuth2 "Resource Owner Implicit Grant" flow as described |
68
|
|
|
|
|
|
|
at L. |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
=head1 CONSTRUCTOR ARGUMENTS |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
Along with those detailed at L |
73
|
|
|
|
|
|
|
the following are supported by this grant type: |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
=head1 CALLBACK FUNCTIONS |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
The following callbacks are supported by this grant type: |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
verify_client_cb |
80
|
|
|
|
|
|
|
login_resource_owner_cb |
81
|
|
|
|
|
|
|
confirm_by_resource_owner_cb |
82
|
|
|
|
|
|
|
store_access_token_cb |
83
|
|
|
|
|
|
|
verify_access_token_cb |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
Please see L for |
86
|
|
|
|
|
|
|
documentation on each callback function. |
87
|
|
|
|
|
|
|
|
88
|
|
|
|
|
|
|
=cut |
89
|
|
|
|
|
|
|
|
90
|
5
|
|
|
5
|
|
3192
|
use strict; |
|
5
|
|
|
|
|
13
|
|
|
5
|
|
|
|
|
164
|
|
91
|
5
|
|
|
5
|
|
29
|
use warnings; |
|
5
|
|
|
|
|
10
|
|
|
5
|
|
|
|
|
152
|
|
92
|
|
|
|
|
|
|
|
93
|
5
|
|
|
5
|
|
1142
|
use Moo; |
|
5
|
|
|
|
|
23747
|
|
|
5
|
|
|
|
|
32
|
|
94
|
|
|
|
|
|
|
with 'Net::OAuth2::AuthorizationServer::Defaults'; |
95
|
|
|
|
|
|
|
|
96
|
5
|
|
|
5
|
|
4342
|
use Carp qw/ croak /; |
|
5
|
|
|
|
|
12
|
|
|
5
|
|
|
|
|
299
|
|
97
|
5
|
|
|
5
|
|
1199
|
use Types::Standard qw/ :all /; |
|
5
|
|
|
|
|
159105
|
|
|
5
|
|
|
|
|
58
|
|
98
|
|
|
|
|
|
|
|
99
|
6
|
|
|
6
|
|
40
|
sub _uses_auth_codes { 0 }; |
100
|
0
|
|
|
0
|
|
0
|
sub _uses_user_passwords { 0 }; |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
sub BUILD { |
103
|
12
|
|
|
12
|
0
|
522
|
my ( $self, $args ) = @_; |
104
|
|
|
|
|
|
|
|
105
|
12
|
100
|
66
|
|
|
66
|
if ( |
106
|
|
|
|
|
|
|
# if we don't have a list of clients |
107
|
|
|
|
|
|
|
!$self->_has_clients |
108
|
|
|
|
|
|
|
|
109
|
|
|
|
|
|
|
# we must know how to verify clients and tokens |
110
|
|
|
|
|
|
|
and ( !$args->{ verify_client_cb } |
111
|
|
|
|
|
|
|
and !$args->{ store_access_token_cb } |
112
|
|
|
|
|
|
|
and !$args->{ verify_access_token_cb } ) |
113
|
|
|
|
|
|
|
) |
114
|
|
|
|
|
|
|
{ |
115
|
2
|
|
|
|
|
35
|
croak __PACKAGE__ . " requires either clients or overrides"; |
116
|
|
|
|
|
|
|
} |
117
|
|
|
|
|
|
|
} |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
sub _verify_client { |
120
|
32
|
|
|
32
|
|
143
|
my ( $self, %args ) = @_; |
121
|
|
|
|
|
|
|
|
122
|
|
|
|
|
|
|
my ( $client_id, $scopes_ref, $redirect_uri ) |
123
|
32
|
|
|
|
|
83
|
= @args{ qw/ client_id scopes redirect_uri / }; |
124
|
|
|
|
|
|
|
|
125
|
32
|
100
|
|
|
|
120
|
if ( my $client = $self->clients->{ $client_id } ) { |
126
|
28
|
|
|
|
|
57
|
my $client_scopes = []; |
127
|
|
|
|
|
|
|
|
128
|
28
|
|
50
|
|
|
52
|
foreach my $scope ( @{ $scopes_ref // [] } ) { |
|
28
|
|
|
|
|
85
|
|
129
|
64
|
100
|
|
|
|
254
|
if ( ! exists($self->clients->{ $client_id }{ scopes }{ $scope }) ) { |
|
|
100
|
|
|
|
|
|
130
|
4
|
|
|
|
|
26
|
return ( 0, 'invalid_scope' ); |
131
|
|
|
|
|
|
|
} |
132
|
|
|
|
|
|
|
elsif ( $self->clients->{ $client_id }{ scopes }{ $scope } ) { |
133
|
56
|
|
|
|
|
90
|
push @{$client_scopes}, $scope; |
|
56
|
|
|
|
|
135
|
|
134
|
|
|
|
|
|
|
} |
135
|
|
|
|
|
|
|
} |
136
|
|
|
|
|
|
|
|
137
|
24
|
100
|
100
|
|
|
134
|
if ( |
|
|
|
100
|
|
|
|
|
138
|
|
|
|
|
|
|
# redirect_uri is optional |
139
|
|
|
|
|
|
|
$self->clients->{ $client_id }{ redirect_uri } |
140
|
|
|
|
|
|
|
&& ( |
141
|
|
|
|
|
|
|
! $redirect_uri |
142
|
|
|
|
|
|
|
|| $redirect_uri ne $self->clients->{ $client_id }{ redirect_uri } |
143
|
|
|
|
|
|
|
) |
144
|
|
|
|
|
|
|
) { |
145
|
8
|
|
|
|
|
108
|
return ( 0, 'invalid_request' ); |
146
|
|
|
|
|
|
|
} |
147
|
|
|
|
|
|
|
|
148
|
16
|
100
|
|
|
|
56
|
if ( |
149
|
|
|
|
|
|
|
# implies Authorization Code Grant, not Implicit Grant |
150
|
|
|
|
|
|
|
$self->clients->{ $client_id }{ client_secret } |
151
|
|
|
|
|
|
|
) { |
152
|
4
|
|
|
|
|
28
|
return ( 0, 'unauthorized_client' ); |
153
|
|
|
|
|
|
|
} |
154
|
|
|
|
|
|
|
|
155
|
12
|
|
|
|
|
78
|
return ( 1, undef, $client_scopes ); |
156
|
|
|
|
|
|
|
} |
157
|
|
|
|
|
|
|
|
158
|
4
|
|
|
|
|
25
|
return ( 0, 'unauthorized_client' ); |
159
|
|
|
|
|
|
|
} |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
sub _verify_access_token { |
162
|
40
|
|
|
40
|
|
142
|
my ( $self, %args ) = @_; |
163
|
|
|
|
|
|
|
|
164
|
40
|
|
|
|
|
89
|
delete( $args{is_refresh_token} ); # not supported by implicit grant |
165
|
|
|
|
|
|
|
|
166
|
40
|
100
|
|
|
|
192
|
return $self->_verify_access_token_jwt( %args ) if $self->jwt_secret; |
167
|
|
|
|
|
|
|
|
168
|
|
|
|
|
|
|
my ( $a_token, $scopes_ref ) = |
169
|
20
|
|
|
|
|
54
|
@args{ qw/ access_token scopes / }; |
170
|
|
|
|
|
|
|
|
171
|
20
|
100
|
|
|
|
69
|
if ( exists( $self->access_tokens->{ $a_token } ) ) { |
172
|
|
|
|
|
|
|
|
173
|
12
|
50
|
|
|
|
62
|
if ( $self->access_tokens->{ $a_token }{ expires } <= time ) { |
|
|
50
|
|
|
|
|
|
174
|
0
|
|
|
|
|
0
|
$self->_revoke_access_token( $a_token ); |
175
|
0
|
|
|
|
|
0
|
return ( 0, 'invalid_grant' ); |
176
|
|
|
|
|
|
|
} |
177
|
|
|
|
|
|
|
elsif ( $scopes_ref ) { |
178
|
|
|
|
|
|
|
|
179
|
12
|
|
50
|
|
|
23
|
foreach my $scope ( @{ $scopes_ref // [] } ) { |
|
12
|
|
|
|
|
38
|
|
180
|
|
|
|
|
|
|
return ( 0, 'invalid_grant' ) |
181
|
20
|
100
|
|
|
|
77
|
if !$self->_has_scope( $scope, $self->access_tokens->{ $a_token }{ scope } ); |
182
|
|
|
|
|
|
|
} |
183
|
|
|
|
|
|
|
|
184
|
|
|
|
|
|
|
} |
185
|
|
|
|
|
|
|
|
186
|
8
|
|
|
|
|
65
|
return ( $self->access_tokens->{ $a_token }{ client_id }, undef ); |
187
|
|
|
|
|
|
|
} |
188
|
|
|
|
|
|
|
|
189
|
8
|
|
|
|
|
50
|
return ( 0, 'invalid_grant' ); |
190
|
|
|
|
|
|
|
} |
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
=head1 AUTHOR |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
Lee Johnson - C |
195
|
|
|
|
|
|
|
|
196
|
|
|
|
|
|
|
=head1 LICENSE |
197
|
|
|
|
|
|
|
|
198
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify it under |
199
|
|
|
|
|
|
|
the same terms as Perl itself. If you would like to contribute documentation |
200
|
|
|
|
|
|
|
or file a bug report then please raise an issue / pull request: |
201
|
|
|
|
|
|
|
|
202
|
|
|
|
|
|
|
https://github.com/Humanstate/net-oauth2-authorizationserver |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
=cut |
205
|
|
|
|
|
|
|
|
206
|
|
|
|
|
|
|
__PACKAGE__->meta->make_immutable; |