Authenticator::OAuthAccessToken - Class to handle authentication of AURORA REST-server by trusting a OAuth-servers access token.
It follows the same use as the Authenticator-class. See the Authenticator placeholder class for more information.
A class that inherits from the Authenticator placeholder class. Please see there for more information.
See the Authenticator placeholder class for more information.
See description in the placeholder Authenticator-class.
Validates to the AURORA REST-server by using an OAuth access token. The access token is passed to the generate()-method for checking of the formatting.
There are certain settings from the settings-file that the Settings-instance delivers and the method expects or takes the following options:
system.auth.oauthaccesstoken.audience OAuth audience ID that are defined by the resource server. See RFC6749 for details on the OAuth flow. Required.
system.auth.oauthaccesstoken.host Host name of the OAuth resource server (see RFC6749). Required.
system.auth.oauthaccesstoken.endpoint Endpoint URL on the resource server where the user information can be fetched by using the access token. Required.
system.auth.oauthaccesstoken.emailfield Name of the key in the returned endpoint HASH that identifies the users email address. It is of type LIST and can therefore facilitate addressing sub-keys of a HASH. Required, but will default to ["email"].
system.auth.oauthaccesstoken.namefield Name of the key in the returned endpoint HASH that identifies the users full name. It is of type LIST and can therefore facilitate addressing sub-keys of a HASH. Required.
system.auth.oauthaccesstoken.userfield Name of the key in the returned endpoint HASH that identifies the users username. It is of type LIST and can therefore facilitate addressing sub-keys of a HASH. Required.
system.auth.oauthaccesstoken.createuser If the user is not found the AURORA database the module can create the account. This settings tells the module if it is ok to create the account in such an instance. Optional, will default to 0. Set to 1 to create account.
system.auth.oauthaccesstoken.createsorted Sets if the possible creation of a user account sorts the results in sub-keys based on the first letter in the accounts name. Optional. Valid values are 0 (disabled), 1 (enabled). When not set it defaults to 0.
system.auth.oauthaccesstoken.userparent If the user is to be created in instances where it does not exist in the AURORA database, this setting tell the module which entity id in the AURORA database is the parent of such an user-account. It is optional and will default to 1 (the root entity).
system.auth.oauthaccesstoken.usergroup If the user is to be created in instances where it does not exist in the AURORA database, this setting tell the module which group id the user should be added as a member of. It is optional and will default to not adding the user to any group if it is undefined, 0 or lower.
system.auth.oauthaccesstoken.domains Set the domains that are allowed to authenticate through this module.
This setting is an array. If no entries are specified in the array, it is ignored and all domains are allowed to authenticate. The array must contain domain-names that are allowed or not allowed to be authenticated. Non-allowed domains must be prefixed with the character for a exclamation mark (!). Wildcards (*) are also allowed in the domain name whereever one wants to:
["*.ntnu.no","!stud.ntnu.no"]
which will allow all domains ending in .ntnu.no, but not the specific domain stud.ntnu.no. All entries in this array are processed and either evaluated to allow (true)/not allow (false) an authentication. It is only after such a processing that the final result for a domain can be given.
cut
It calls the generate()-method on the authentication string (access token) and upon successful checking and cleaning, will use the access token to connect to the resource server to get the users email- and name details. These details will be checked in the AURORA database to see if there are any matches? Upon successful match, the entity id of the user will be returned (userid).
If the user cannot be found in the AURORA database, it checks if it is allowed to create the user (see options above)? If it is allowed to create the user, it will to so in the AURORA database and set the email and then return the entity id of the newly created user as the userid.
It returns the AURORA database userid (entity id - int) of the user upon success or 0 upon user not found.
Undef is returned upon failure. Check the error()-method for more information.
See description in the placeholder Authenticator-class for more information on the framework itself.
Takes the authentication string (in this case OAuth access token) and checks the validity of the characters and cuts the length at a maximum of 4096 characters.
Returns the cleaned and accepted access token upon success.
Undef is returned upon failure. In such a case check the error()-method for more information.
See description in the placeholder Authenticator-class for more information on the framework itself.