OIDC-Client

This distribution makes it easy to integrate the OpenID Connect protocol into different types of Perl applications.

You can use the OIDC::Client module directly in any batch or script. If you plan to use it from a web application, you should instead choose the plugin that is compatible with your framework (all these plugins essentially use this distribution) :

Features

Security Features

PKCE (Proof Key for Code Exchange)

PKCE is enabled by default for all authorization code flows. This mitigates authorization code interception attacks.

PKCE is considered a best practice for all OAuth 2.0 clients, including confidential clients, and is mandatory in OAuth 2.1.

Cryptographically Secure Random Values

All security-sensitive random values generated by this module — state, nonce, jti, and PKCE code_verifier — are generated using a cryptographically secure pseudo-random number generator (CSPRNG). The generated values provide at least 128 bits of entropy, while PKCE code_verifier values provide 256 bits of entropy, as recommended by RFC 7636.

Client Authentication

The following OAuth 2.0 client authentication methods are supported:

Token Validation

ID Tokens and Access Tokens can be validated according to the OpenID Connect and OAuth 2.0 specifications, including support for JWT signature verification and token introspection.

Documentation Index

Security Recommendation

When using OIDC-Client with an application, it is highly recommended to configure the framework to store session data, including sensitive tokens such as access and refresh tokens, on the backend rather than in client-side cookies. Although cookies can be signed and encrypted, storing tokens in the client exposes them to potential security threats.

Limitations