ProductOpener::Auth - Perl module for OpenID Connect (OIDC) authentication
This Perl module provides functions for user authentication, token verification, and access to protected resources using OpenID Connect (OIDC).
This module is not tied to a specific OIDC service. All Keycloak-specific functionality is handled in the Keycloak module.
Initiates the authorization process by redirecting the user to the authorization page.
None
Handles the callback after successful authentication, verifies the ID token, and creates or retrieves the user's information.
The return URL after successful authentication.
Signs in the user with a username and password, and returns the user's ID, refresh token, refresh token expiration time, access token, and access token expiration time.
We support this to enable passing user and password in the request json. This is a legacy way of doing.
A list containing the user's ID, refresh token, refresh token expiration time, access token, access token expiration time, and the ID token
Extract the user id from the OIDC identification token (which contains an email).
It verifies that the email is a verified email before proceeding.
If the user properties file does not yet exists, it create it.
The OIDC identification token information
If true, the email must be verified before proceeding.
The userid as a string
Refreshes the access token using the OIDC client.
Access token have a limited life span but can be refreshed
OIDC refresh token
A list containing the user's ID, new refresh token, refresh token expiration time, new access token, and access token expiration time.
This method insure a user is authenticated before proceeding to a specific page.
If user is not authenticated, or his access token can't be refreshed, it will be redirected to signin process.
None
Initiates the sign-out process by redirecting the user to the authorization page.
None
Handles the callback after successful sign-out, clears session cookie.
The return URL after successful sign-out.
Gets a token for the user.
Method uses the Resource Owner Password Credentials Grant to with the given credentials, and pre-configured Client ID, and Client Secret.
Open ID Access token, or undefined if sign-in wasn't successful.
Gets a token for the user.
Method uses the Client Credentials Grant to pre-configured Client ID, and Client Secret.
None
Open ID Access token, or undefined if sign-in wasn't successful.
Generate a sign-in/sign-out cookie.
The cookie is used to store information related to the current sign-in/sign-out for validation, and to redirect the user to the correct URL.
Sign-in/sign-out cookie.
Verifies the access token by decoding and validating it using the JSON Web Key Set (JWKS). (see https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets)
Parameters: - $access_token_string: The access token to be verified.
Returns: The verified access token or undefined if verification fails.
Verifies the ID token by decoding and validating it using the JWKS.
Parameters: - $id_token_string: The ID token to be verified.
Returns: The verified ID token or undefined if verification fails.
Retrieves the authorized party (client ID) from the access token.
It is different for example between the website and the mobile app.
This is useful for example for products change log.
The authorized party (client ID) or undefined if the token is not issued by the correct issuer.
Get the OIDC client that is used to interact with the OIDC server.
This subroutine creates and returns an instance of the OIDC::Lite::Client::WebServer class, which represents the client profile for OpenID Connect (OIDC) authentication. The client profile is used to interact with the OIDC server for authentication and authorization purposes.
The client profile is created with the following parameters: - id: The client ID provided by the OIDC server. - secret: The client secret provided by the OIDC server. - authorize_uri: The authorization endpoint URL provided by the OIDC server. - access_token_uri: The token endpoint URL provided by the OIDC server.
If the client profile has already been created, it is returned directly without re-creating it.
See https://metacpan.org/pod/OIDC::Lite::Client::WebServer for more information on the OIDC::Lite::Client::WebServer module.
None.
A workable instance of OIDC::Lite::Client::WebServer.
Ensures that OIDC (OpenID Connect) is discovered and configured.
If OIDC is already discovered, the function returns without doing anything.
Otherwise, it sends a discovery request to the OIDC endpoint and loads the discovery document. If successful, it updates the OIDC options with the JWKS (JSON Web Key Set) configuration.
None.
None.
Loads the JWKS from $jwks_uri, and stores it in the $jkw variable.
JWKS aka JSON Web Key Sets are essential to validate access tokens https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets
None.
Writes the deprecation notice for old authentication sites as HTTP headers.
None.
None.
Returns the current Keycloak implementation level
0 = Not available 1 = Use legacy Authentication and Registration but keep users in sync 2 = Users are fully synced. Use Keycloak for back-channel authentication but use legacy login and Registration forms 3 = [DELETED. This won't work as the Keycloak login forms will direct to the Keycloak registration forms] Use Keycloak backend and front end for all authentication. Legacy Registration forms 4 = Respond to Keycloak events for user registration / deletion tasks (welcome email, etc.) 5 = Fully implemented, including Keycloak registration forms