(WebAuth webkdc-proxy tokens)


    my $token = WebAuth::Token::WebKDCProxy->new;
    $token->subject ('user');
    $token->proxy_type ('webkdc');
    $token->proxy_subject ('WEBKDC:remuser');
    $token->expiration (time + 3600);
    print $token->encode ($keyring), "\n";


A WebAuth webkdc-proxy token, which stores user credentials or authentication information for later use by the WebKDC. This is the token that's stored as a single sign-on cookie in the user's browser, allowing the user to authenticate to subsequent web sites without reauthenticating. This token is also returned inside a proxy token to a WAS, which can then present it back to the WebKDC to obtain id or cred tokens.


new ()

Create a new, empty WebAuth::Token::WebKDCProxy. At least some attributes will have to be set using the accessor methods described below before the token can be used.


As with WebAuth module functions, failures are signaled by throwing WebAuth::Exception rather than by return status.

General Methods

encode (KEYRING)

Generate the encoded and encrypted form of this token using the provided KEYRING. The encryption key used will be the one returned by the best_key() method of WebAuth::Keyring on that KEYRING.

Accessor Methods

subject ([SUBJECT])

Get or set the subject, which holds the authenticated identity of the user holding this token.

proxy_type ([TYPE])

Get or set the type of webkdc-proxy token this token represents, which generally represents the authentication mechanism. The values in common use are krb5, for a webkdc-proxy token that contains a Kerberos TGT, and remuser, for a webkdc-proxy token created via an assertion from an external authentication mechanism.

proxy_subject ([SUBJECT])

Get or set the subject to which this webkdc-proxy token was granted. For tokens created internally by the WebKDC for its own use, this will start with WEBKDC: and then include an identifier for the WebKDC. For tokens provided to a WebAuth Application Server as part of a proxy token, this will contain the identity of the WebAuth Application Server. When the webkdc-proxy token is checked, this subject is verified and only the named entity is permitted to use the token.

data ([DATA])

Get or set any data associated with the webkdc-proxy token. For a token with proxy_type krb5, this will be a Kerberos TGT encoded in the format created by the export_cred() function of the WebAuth::Krb5 module.

initial_factors ([FACTORS])

Get or set a comma-separated list of authentication factors used by the user during initial authentication (the single sign-on transaction). For a list of possible factors and their meaning, see the WebAuth protocol specification.

loa ([LOA])

Get or set the level of assurance established for this user authentication. This is a number whose values are site-defined but for which increasing numbers represent increasing assurance for the authentication.

creation ([TIMESTAMP])

Get or set the creation timestamp for this token in seconds since epoch. If not set, the encoded token will have a creation time set to the time of encoding.

expiration ([TIMESTAMP])

Get or set the expiration timestamp for this token in seconds since epoch.


Russ Allbery <eagle@eyrie.org>


WebAuth(3), WebAuth::Keyring(3), WebAuth::Krb5(3), WebAuth::Token(3)

This module is part of WebAuth. The current version is available from <http://webauth.stanford.edu/>.

Last spun 2015-02-17 from POD modified 2015-02-16