NAME¶
WebAuth::Token::WebKDCProxy - WebAuth webkdc-proxy tokens
SYNOPSIS¶
my $token = WebAuth::Token::WebKDCProxy->new;
$token->subject ('user');
$token->proxy_type ('webkdc');
$token->proxy_subject ('WEBKDC:remuser');
$token->expiration (time + 3600);
print $token->encode ($keyring), "\n";
DESCRIPTION¶
A WebAuth webkdc-proxy token, which stores user credentials or authentication
information for later use by the WebKDC. This is the token that's stored as a
single sign-on cookie in the user's browser, allowing the user to authenticate
to subsequent web sites without reauthenticating. This token is also returned
inside a proxy token to a WAS, which can then present it back to the WebKDC to
obtain id or cred tokens.
CLASS METHODS¶
- new ()
- Create a new, empty WebAuth::Token::WebKDCProxy. At least
some attributes will have to be set using the accessor methods described
below before the token can be used.
INSTANCE METHODS¶
As with WebAuth module functions, failures are signaled by throwing
WebAuth::Exception rather than by return status.
General Methods¶
- encode (KEYRING)
- Generate the encoded and encrypted form of this token using
the provided KEYRING. The encryption key used will be the one returned by
the best_key() method of WebAuth::Keyring on that KEYRING.
Accessor Methods¶
- subject ([SUBJECT])
- Get or set the subject, which holds the authenticated
identity of the user holding this token.
- proxy_type ([TYPE])
- Get or set the type of webkdc-proxy token this token
represents, which generally represents the authentication mechanism. The
values in common use are "krb5", for a webkdc-proxy token that
contains a Kerberos TGT, and "remuser", for a webkdc-proxy token
created via an assertion from an external authentication mechanism.
- proxy_subject ([SUBJECT])
- Get or set the subject to which this webkdc-proxy token was
granted. For tokens created internally by the WebKDC for its own use, this
will start with "WEBKDC:" and then include an identifier for the
WebKDC. For tokens provided to a WebAuth Application Server as part of a
proxy token, this will contain the identity of the WebAuth Application
Server. When the webkdc-proxy token is checked, this subject is verified
and only the named entity is permitted to use the token.
- data ([DATA])
- Get or set any data associated with the webkdc-proxy token.
For a token with proxy_type "krb5", this will be a Kerberos TGT
encoded in the format created by the export_cred() function of the
WebAuth::Krb5 module.
- initial_factors ([FACTORS])
- Get or set a comma-separated list of authentication factors
used by the user during initial authentication (the single sign-on
transaction). For a list of possible factors and their meaning, see the
WebAuth protocol specification.
- loa ([LOA])
- Get or set the level of assurance established for this user
authentication. This is a number whose values are site-defined but for
which increasing numbers represent increasing assurance for the
authentication.
- creation ([TIMESTAMP])
- Get or set the creation timestamp for this token in seconds
since epoch. If not set, the encoded token will have a creation time set
to the time of encoding.
- expiration ([TIMESTAMP])
- Get or set the expiration timestamp for this token in
seconds since epoch.
AUTHOR¶
Russ Allbery <eagle@eyrie.org>
SEE ALSO¶
WebAuth(3),
WebAuth::Keyring(3),
WebAuth::Krb5(3),
WebAuth::Token(3)
This module is part of WebAuth. The current version is available from
<
http://webauth.stanford.edu/>.