WebAuth::Token::Request

(WebAuth request tokens)

SYNOPSIS

    my $token = WebAuth::Token::Request->new;
    $token->type ('id');
    $token->auth ('webkdc');
    $token->return_url ($url);
    $token->creation (time);
    print $token->encode ($keyring), "\n";

DESCRIPTION

A WebAuth request token, sent by the WebAuth Application Server to the WebKDC to initiate a request.

This token has two forms. The first is sent by the WAS to the WebKDC via a redirect to request either an id or a proxy token for the user, depending on whether the WAS will need credentials. The second is sent to the WebKDC as part of a request for a service token and contains only the command and creation time. If the command() attribute is set, most other attributes must not be set.

CLASS METHODS

new ()

Create a new, empty WebAuth::Token::Request. At least some attributes will have to be set using the accessor methods described below before the token can be used.

INSTANCE METHODS

As with WebAuth module functions, failures are signaled by throwing WebAuth::Exception rather than by return status.

General Methods

encode (KEYRING)

Generate the encoded and encrypted form of this token using the provided KEYRING. The encryption key used will be the one returned by the best_key() method of WebAuth::Keyring on that KEYRING.

Accessor Methods

type ([TYPE])

Get or set the type of token requested. This can be either id to request only an id token, or proxy to request a proxy token that can be used to retrieve other types of tokens later.

auth ([TYPE])

Get or set the type of id token requested. This attribute is only used if the type() attribute is id. It should be set to either webkdc to request a bearer token or krb5 to request a token with a Kerberos authenticator.

proxy_type ([TYPE])

Get or set the type of proxy token requested. This attribute is only used if the type() attribute is proxy. It currently will always be set to krb5, but must still be explicitly set when creating a new token.

state ([DATA])

Get or set the optional state data. If this data is provided, it will be returned by the WebKDC to the WebAuth Application Server as a second element in the URL. It is normally used to hold an app token that contains the session key used for WebKDC communication, encrypted in the private key of a WebAuth Application Server pool.

return_url ([URL])

Get or set the return URL, which specifies the URL to which the user should be sent after successful authentication.

options ([OPTIONS])

Get or set an optional comma-separated list of request options. For a complete list of supported options and their meanings, see the WebAuth protocol specification.

initial_factors ([FACTORS])

Get or set a comma-separated list of authentication factors that the user is required to use for initial authentication (the single sign-on transaction). For a list of possible factors and their meaning, see the WebAuth protocol specification.

session_factors ([FACTORS])

Get or set a comma-separated list of authentication factors that the user is required to use to authenticate this session (this particular visit to this WebAuth Application Server). For a list of possible factors and their meaning, see the WebAuth protocol specification.

loa ([LOA])

Get or set the level of assurance required for the user authentication. This is a number whose values are site-defined but for which increasing numbers represent increasing assurance for the authentication.

command ([ELEMENT])

Get or set the XML element for which this token provides an authenticator. If this attribute is set, no other attributes other than creation() should be set. This type of token is used inside an XML request to the WebKDC to authenticate that request via an encrypted token in the shared key established between the WebAuth Authentication Server and the WebKDC.

creation ([TIMESTAMP])

Get or set the creation timestamp for this token in seconds since epoch. If not set, the encoded token will have a creation time set to the time of encoding.

AUTHOR

Russ Allbery <eagle@eyrie.org>

SEE ALSO

WebAuth(3), WebAuth::Keyring(3), WebAuth::Token(3)

This module is part of WebAuth. The current version is available from <http://webauth.stanford.edu/>.

Last spun 2015-02-17 from POD modified 2015-02-16