.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "WebAuth::Token 3pm" .TH WebAuth::Token 3pm "2020-12-21" "perl v5.32.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" WebAuth::Token \- Generic WebAuth token handling .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& use WebAuth; \& \& my $wa = WebAuth\->new; \& eval { \& $token = WebAuth\->token_decode ($wa, $data, $keyring); \& print ref ($token), " received\en"; \& print "Encoded: ", $token\->encode, "\en"; \& }; \& if ($@) { \& # handle exception \& } .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" WebAuth::Token is the parent class for all WebAuth token objects. Other than when creating a new token by decoding an encrypted token, this class will never be used directly. Instead, it is the base class for all other WebAuth::Token::* classes, each of which represents a specific type of protocol token. .PP The following token classes are currently supported: .IP "WebAuth::Token::App" 4 .IX Item "WebAuth::Token::App" Used by a WebAuth Application Server to store data, such as the identity of an authenticated user or the session key for that identity information. .IP "WebAuth::Token::Cred" 4 .IX Item "WebAuth::Token::Cred" Holds a credential for some other service, usually a Kerberos service ticket. It is sent back by the WebKDC to a WebAuth Application Server when requested using a proxy token, and the \s-1WAS\s0 also uses it to store the credentials in cookies. .IP "WebAuth::Token::Error" 4 .IX Item "WebAuth::Token::Error" Returned by the WebKDC in response to a request token if some error occurred in processing that request. .IP "WebAuth::Token::Id" 4 .IX Item "WebAuth::Token::Id" Identifies a user to a WebAuth Authentication Server. This token is sent from the WebKDC to the \s-1WAS\s0 following a user authentication to communicate the authentication information. .IP "WebAuth::Token::Login" 4 .IX Item "WebAuth::Token::Login" Used to communicate the user's username and password or other authentication secret from the WebLogin server to the WebKDC. .IP "WebAuth::Token::Proxy" 4 .IX Item "WebAuth::Token::Proxy" Used by a WebAuth Application Server to request other tokens from the WebKDC. This is returned by the WebKDC to a WebAuth Application Server if the \s-1WAS\s0 may need to request various tokens (particularly credential tokens). .IP "WebAuth::Token::Request" 4 .IX Item "WebAuth::Token::Request" Sent by the WebAuth Application Server to the WebKDC to initiate a request. .Sp This token has two forms. The first is sent by the \s-1WAS\s0 to the WebKDC via a redirect to request either an id or a proxy token for the user, depending on whether the \s-1WAS\s0 will need credentials. The second is sent to the WebKDC as part of a request for a service token and contains only the command and creation time. .IP "WebAuth::Token::WebKDCProxy" 4 .IX Item "WebAuth::Token::WebKDCProxy" Stores user credentials or authentication information for later use by the WebKDC. This is the token that's stored as a single sign-on cookie in the user's browser, allowing the user to authenticate to subsequent web sites without reauthenticating. This token is also returned inside a proxy token to a \s-1WAS,\s0 which can then present it back to the WebKDC to obtain id or cred tokens. .IP "WebAuth::Token::WebKDCService" 4 .IX Item "WebAuth::Token::WebKDCService" Sent by the WebKDC to a \s-1WAS\s0 and returned by the \s-1WAS\s0 to the WebKDC as part of the request token. The purpose of this token is to store the session key used for encrypting the request token and its responses. It's encrypted in the WebKDC's long-term key, and is therefore used by the WebKDC to recover the session key without having local state. .PP Each of these tokens have different data elements and therefore different accessor functions, and each has its own separate documentation. See that individual documentation for the available operations on each type of token. .SH "CLASS METHODS" .IX Header "CLASS METHODS" As with WebAuth module functions, failures are signaled by throwing WebAuth::Exception rather than by return status. .IP "new (\s-1WEBAUTH, TOKEN, KEYRING\s0)" 4 .IX Item "new (WEBAUTH, TOKEN, KEYRING)" Given an encrypted and base64\-encoded \s-1TOKEN,\s0 decode and decrypt it using the provided WebAuth::Keyring object. The return value will be a subclass of WebAuth::Token as described above in \*(L"\s-1DESCRIPTION\*(R"\s0. .Sp Callers will normally want to check via \fBisa()\fR whether the returned token is of the type that the caller expected. Not performing that check can lead to security issues. .Sp This is a convenience wrapper around the WebAuth \fBtoken_decode()\fR method. .PP The subclasses of WebAuth::Token also have a traditional \fBnew()\fR constructor to create a new, empty token of that type. .SH "AUTHOR" .IX Header "AUTHOR" Russ Allbery .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBWebAuth\fR\|(3), \fBWebAuth::Keyring\fR\|(3), \fBWebAuth::Token::App\fR\|(3), \&\fBWebAuth::Token::Cred\fR\|(3), \fBWebAuth::Token::Error\fR\|(3), \fBWebAuth::Token::Id\fR\|(3), \&\fBWebAuth::Token::Login\fR\|(3), \fBWebAuth::Token::Proxy\fR\|(3), \&\fBWebAuth::Token::Request\fR\|(3), \fBWebAuth::Token::WebKDCProxy\fR\|(3), \&\fBWebAuth::Token::WebKDCService\fR\|(3) .PP This module is part of WebAuth. The current version is available from .