CatalystX::OAuth2 - OAuth2 services for Catalyst


version 0.001002


package AuthServer::Controller::OAuth2::Provider;
use Moose;
BEGIN { extends 'Catalyst::Controller::ActionRole' }

with 'CatalystX::OAuth2::Controller::Role::Provider';

  store => {
    class => 'DBIC',
    client_model => 'DB::Client'

sub request : Chained('/') Args(0) Does('OAuth2::RequestAuth') {}

sub grant : Chained('/') Args(0) Does('OAuth2::GrantAuth') {
  my ( $self, $c ) = @_;

  my $oauth2 = $c->req->oauth2;

  $c->user_exists and $oauth2->user_is_valid(1)
    or $c->detach('/passthrulogin');

sub token : Chained('/') Args(0) Does('OAuth2::AuthToken::ViaAuthGrant') {}

sub refresh : Chained('/') Args(0) Does('OAuth2::AuthToken::ViaRefreshToken') {}



This module implements the authorization grant subset of the oauth 2 ietf spec draft. Action roles containing an implementation of each required endpoint in the specification are provided and should be applied to a Catalyst::Controller::ActionRole. The authorization grant flow is defined by the specification as follows:

+--------+                                           +---------------+
|        |--(A)------- Authorization Grant --------->|               |
|        |                                           |               |
|        |<-(B)----------- Access Token -------------|               |
|        |               & Refresh Token             |               |
|        |                                           |               |
|        |                            +----------+   |               |
|        |--(C)---- Access Token ---->|          |   |               |
|        |                            |          |   |               |
|        |<-(D)- Protected Resource --| Resource |   | Authorization |
| Client |                            |  Server  |   |     Server    |
|        |--(E)---- Access Token ---->|          |   |               |
|        |                            |          |   |               |
|        |<-(F)- Invalid Token Error -|          |   |               |
|        |                            +----------+   |               |
|        |                                           |               |
|        |--(G)----------- Refresh Token ----------->|               |
|        |                                           |               |
|        |<-(H)----------- Access Token -------------|               |
+--------+           & Optional Refresh Token        +---------------+

The action roles should be applied to actions in a single controller, and no more than one action of each role type should be present.

Here is an overview of what roles are involved in each of those phases:

A - Catalyst::ActionRole::OAuth2::RequestAuth


This is the action where the authentication grant flow begins, it validades and sanitizes the request parameters and generates an authorization code which is used for issuing a valid request to the GrantAuth action via a redirect. The authorization code is only generated if all parameters are well-formed and valid, this ensures that requests to the GrantAuth action can trust the request parameters if a valid authorization code is presented.

B - Catalyst::ActionRole::OAuth2::GrantAuth


This action checks the request parameters for a valid authorization code, which should have been generated by a previous request to a RequestAuth action. This action should be customized to somehow confirm with the end-user if he wishes to effectively grant the authorization to the requesting client/app. The user-agent is redirected automatically to the correct endpoint if the authorization is granted.

C and D - Catalyst::ActionRole::OAuth2::AuthToken::ViaAuthGrant


This action exchanges a valid authorization grant code and responds with an authorization token.

G and H - Catalyst::ActionRole::OAuth2::AuthToken::ViaRefreshToken


This action exchanges a valid refresh token for a new access token and refresh token.



Takes a hashref containing two keys:


The store type to use, so far, only DBIC support is provided


The entity representing the client in your schema


This module exists due to the wonderful people at Suretec Systems Ltd. <> who sponsored it's development for its VoIP division called SureVoIP <>


Eden Cardim <>


This software is copyright (c) 2012 by Suretec Systems Ltd.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.