package OIDC::Lite::Server::Scope;
use strict;
use warnings;

sub optional_scopes{ return qw{profile email address phone offline_access}; }

sub validate_scopes{
    my ($self, $scopes) = @_;

    # if scope includes 'openid' , return true
    return 1 if ($self->is_openid_request($scopes));

    # if scope doesn't include 'openid', other OIDC scope must not be included.
    my %optional_scope_hash;
    $optional_scope_hash{$_}++ foreach $self->optional_scopes;
    foreach my $scope (@$scopes){
	return 0 if exists $optional_scope_hash{$scope};
    }
    return 1;
}

sub is_openid_request{
    my ($self, $scopes) = @_;

    # scopes is array ref
    return 0 unless (ref($scopes) eq 'ARRAY');

    # if it has 'openid', return true.
    my %scope_hash;
    $scope_hash{$_}++ foreach @$scopes;
    return (exists $scope_hash{q{openid}});
}

sub is_required_offline_access{
    my ($self, $scopes) = @_;

    # scopes is array ref
    return 0 unless (ref($scopes) eq 'ARRAY');

    # if it has 'offline_access', return true.
    my %scope_hash;
    $scope_hash{$_}++ foreach @$scopes;
    return (exists $scope_hash{q{offline_access}});
}

sub to_normal_claims{
    my ($self, $scopes) = @_;

    my @claims;
    foreach my $scope (@$scopes){
        push(@claims, qw{sub})
            if($scope eq q{openid});

        push(@claims, qw{name family_name given_name middle_name 
                         nickname preferred_username profile 
                         picture website gender birthdate 
                         zoneinfo locale updated_at})
            if($scope eq q{profile});

        push(@claims, qw(email email_verified))
            if($scope eq q{email});

        push(@claims, qw{address})
            if($scope eq q{address});

        push(@claims, qw{phone_number phone_number_verified})
            if($scope eq q{phone});
    }

    return \@claims;
}

=head1 NAME

OIDC::Lite::Server::Scope - utility class for OpenID Connect Scope

=head1 SYNOPSIS

    use OIDC::Lite::Server::Scope;

    my @scopes = ...

    # if request doesn't inclue 'openid' and include other OIDC scope, return false
    if(OIDC::Lite::Server::Scope->validate_scopes(\@scopes)){
        # valid scopes
    }else{
        # invalid scopes
    }    

    # return OpenID Connect request or not
    if(OIDC::Lite::Server::Scope->is_openid_request(\@scopes)){
        # OpenID Connect Request
        # issue ID Token
    }else{
        # OAuth 2.0 Request
        # don't issue ID Token
    }
    
    # returned normal claims for scopes
    my $claims = OIDC::Lite::Server::Scope->to_normal_claims(\@scopes);

=head1 DESCRIPTION

This is utility class for OpenID Connect scope.

=head1 METHODS

=head2 validate_scopes( $scopes )

If request doesn't inclue 'openid' and include other OIDC scope, return false.
'openid' : true
'not_openid' : true
'openid profile' : true
'profile' : false
'not_openid profile' : false

=head2 is_openid_request( $scopes )

Returns the requested scope is for OpenID Connect or not.

=head2 is_required_offline_access( $scopes )

Returns the requested scope includes 'offline_access' or not.

=head2 to_normal_claims( $req )

Returns normal claims for requested scopes.

=head1 AUTHOR

Ryo Ito, E<lt>ritou.06@gmail.comE<gt>

=head1 COPYRIGHT AND LICENSE

Copyright (C) 2012 by Ryo Ito

This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.8 or,
at your option, any later version of Perl 5 you may have available.

=cut

1;