NAME
Catalyst::Plugin::OpenIDConnect::Utils::Store::Redis - Redis-backed OIDC store
SYNOPSIS
# In your Catalyst application configuration:
'Plugin::OpenIDConnect' => {
store_class => 'Catalyst::Plugin::OpenIDConnect::Utils::Store::Redis',
store_args => {
server => '127.0.0.1:6379', # default
prefix => 'myapp:oidc:', # optional namespace prefix
# password => 'secret', # if Redis AUTH is required
},
issuer => { ... },
clients => { ... },
},DESCRIPTION
A Redis-backed implementation of Catalyst::Plugin::OpenIDConnect::Role::Store that stores authorization codes in Redis with automatic TTL expiry.
Because all FastCGI/pre-fork worker processes share the same Redis server, this backend is safe for multi-process deployments. Code expiry is enforced natively by Redis via SETEX, so no background cleanup is needed.
Requires the Redis::Fast module (Redis::Fast is preferred for performance; Redis also works; install whichever suits your environment).
ATTRIBUTES
server
The Redis server address in host:port form. Defaults to 127.0.0.1:6379.
prefix
Key namespace prefix prepended to every Redis key. Defaults to oidc:code:. Set this to a unique value per application to avoid collisions on shared Redis instances.
password
Optional Redis AUTH password. Leave unset if your Redis server does not require authentication. If the environment variable REDIS_PASSWORD is set, it will be have been passed as the default value for this attribute by the plugin.
code_ttl
Lifetime of an authorization code in seconds. Defaults to 600 (10 minutes). The value is passed directly to Redis SETEX.
logger
Optional logger instance for debug/info/warn logging.
_redis
The underlying Redis connection, lazily created on first use. This defers the TCP connection until after the parent process has forked, which is necessary for pre-forking servers: each worker gets its own independent socket.
METHODS
create_authorization_code($client_id, $user, $scope, $redirect_uri, $nonce, $pkce)
Creates an authorization code and stores it in Redis with an automatic TTL equal to "code_ttl" seconds. $pkce is an optional hashref with keys code_challenge and code_challenge_method; omit or pass undef for non-PKCE flows.
Returns the authorization code string.
get_authorization_code($code)
Retrieves authorization code data from Redis.
Returns a hashref with the code data, or undef if the code does not exist or has already expired (Redis TTL handles expiry automatically).
consume_authorization_code($code)
Atomically fetches and deletes the authorization code from Redis using the GETDEL command (Redis ≥ 6.2). Because GETDEL is a single server-side operation it is race-free: a second concurrent request carrying the same code will receive nil from Redis and be rejected.
Returns the decoded code data hashref on success, or undef if the code does not exist, has already been consumed, or cannot be decoded.
store_refresh_token($jti, $sub, $client_id, $ttl)
Stores a refresh token JTI in Redis with SETEX using $ttl seconds. Also maintains a secondary per-subject Set ({prefix}rt_sub:{sub}) so that all tokens for a user can be revoked atomically at logout time.
consume_refresh_token($jti)
Atomically fetches and deletes the JTI entry using GETDEL (Redis ≥ 6.2). Returns the decoded data hashref, or undef if absent (already used, revoked, or expired).
revoke_refresh_tokens_for_user($sub)
Revokes all outstanding refresh tokens for the given subject by iterating the per-subject Redis Set and deleting each JTI key, then deleting the Set itself. Called at logout time.
DEPENDENCIES
Redis::Fast (preferred) or Redis, plus JSON::MaybeXS and Bytes::Random::Secure.
AUTHOR
Tim F. Rayner
LICENSE
This library is free software; you can redistribute it and/or modify it under the terms of The Artistic License 2.0.