1 package stemmaweb::Authentication::Credential::Google;
3 use Crypt::OpenSSL::X509;
8 use LWP::Simple qw(get);
9 use Date::Parse qw(str2time);
17 stemmaweb::Authentication::Google - JSON Web Token handler for Google tokens.
21 Retrieves Google's public certificates, and then retrieves the key from the
22 cert using L<Crypt::OpenSSL::X509>. Finally, uses the pubkey to decrypt a
23 Google token using L<JSON::WebToken>.
28 my ($class, $config, $app, $realm) = @_;
29 $class = ref $class || $class;
41 my ($self, $c, $realm, $authinfo) =@_;
43 my $id_token = $authinfo->{id_token};
44 $id_token ||= $c->req->method eq 'GET' ?
45 $c->req->query_params->{id_token} : $c->req->body_params->{id_token};
48 Catalyst::Exception->throw("id_token not specified.");
51 my $email = $authinfo->{email};
52 $email ||= $c->req->method eq 'GET' ? $c->req->query_params->{email} :
53 $c->req->body_params->{email};
55 my $userinfo = $self->decode($id_token);
56 $userinfo->{email} = $authinfo->{email};
58 my $sub = $userinfo->{sub};
59 my $openid = $userinfo->{openid_id};
61 $userinfo->{email} = $email if $email;
63 if (!$sub || !$openid) {
64 Catalyst::Exception->throw(
65 'Could not retrieve sub and openid from token! Is the token
70 return $realm->find_user($userinfo, $c);
77 Retrieves a pair of JSON-encoded certificates from the given URL (defaults to
78 Google's public cert url), and returns the decoded JSON object.
86 Optional. Location where certificates are located.
87 Defaults to https://www.googleapis.com/oauth2/v1/certs.
93 Decoded JSON object containing certificates.
98 my ($self, $url) = @_;
100 my $c = $self->{_app};
105 $url ||= ( $c->config->{'Authentication::Credential::Google'}->{public_cert_url} || 'https://www.googleapis.com/oauth2/v1/certs' );
107 if ( ($c->registered_plugins('Catalyst::Plugin::Cache')) && ($cache = $c->cache) ) {
108 if ($certs = $cache->get('certs')) {
109 $certs = decode_json($certs);
111 foreach my $key (keys %$certs) {
112 my $cert = $certs->{$key};
113 my $x509 = Crypt::OpenSSL::X509->new_from_string($cert);
115 if ($self->is_cert_expired($x509)) {
126 my $certs_encoded = get($url);
129 $cache->set('certs', $certs_encoded);
132 $certs = decode_json($certs_encoded);
138 =head2 get_key_from_cert
140 Given a pair of certificates $certs (defaults to L</retrieve_certs>),
141 this function returns the public key of the cert identified by $kid.
149 Required. Index of the certificate hash $hash where the cert we want is
154 Optional. A (hashref) pair of certificates.
155 It's retrieved using L</retrieve_certs> if not given,
156 or if the pair is expired.
162 Public key of certificate.
166 sub get_key_from_cert {
167 my ($self, $kid, $certs) = @_;
169 $certs ||= $self->retrieve_certs;
170 my $cert = $certs->{$kid};
171 my $x509 = Crypt::OpenSSL::X509->new_from_string($cert);
173 if ($self->is_cert_expired($x509)) {
174 # If we ended up here, we were given
175 # an old $certs string from the user.
176 # Let's force getting another.
177 return $self->get_key_from_cert($kid);
180 return $x509->pubkey;
183 =head2 is_cert_expired
185 Returns if a given L<Crypt::OpenSSL::X509> certificate is expired.
189 sub is_cert_expired {
190 my ($self, $x509) = @_;
192 my $expiry = str2time($x509->notAfter);
194 return time > $expiry;
199 Returns the decoded information contained in a user's token.
207 Required. The user's token from Google+.
211 Optional. A public key string with which to decode the token.
212 If not given, the public key will be retrieved from $certs.
216 Optional. A pair of public key certs retrieved from Google.
217 If not given, or if the certificates have expired, a new
218 pair of certificates is retrieved.
224 Decoded JSON object from the decrypted token.
229 my ($self, $token, $certs, $pubkey) = @_;
232 my $details = decode_json(
233 MIME::Base64::decode_base64(
234 substr( $token, 0, CORE::index($token, '.') )
238 my $kid = $details->{kid};
239 $pubkey = $self->get_key_from_cert($kid, $certs);
242 return JSON::WebToken->decode($token, $pubkey);
247 Errietta Kostala <e.kostala@shadowcat.co.uk>
251 This library is free software. You can redistribute it and/or modify
252 it under the same terms as Perl itself.