annotate mod_adhoc_oauth2_client/mod_adhoc_oauth2_client.lua @ 5255:001c8fdc91a4

mod_http_oauth2: Add support for the "openid" scope This "openid" scope is there to signal access to the userinfo endpoint, which is needed for OIDC support. We don't actually check this later because the userinfo endpoint only returns info embedded in the token itself, but in the future we may want to check this more carefully.
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 17:06:35 +0100
parents 871d140d61bb
children a9c1cc91d3d6
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local adhoc = require "util.adhoc";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local dataforms = require "util.dataforms";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local errors = require "util.error";
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
4 local hashes = require "util.hashes";
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local id = require "util.id";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local jid = require "util.jid";
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
7 local base64 = require"util.encodings".base64;
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local clients = module:open_store("oauth2_clients", "map");
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
11 local iteration_count = module:get_option_number("oauth2_client_iteration_count", 10000);
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
12 local pepper = module:get_option_string("oauth2_client_pepper", "");
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
13
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local new_client = dataforms.new({
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 title = "Create OAuth2 client";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 {var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#create"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 {name = "name"; type = "text-single"; label = "Client name"; required = true};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 {name = "description"; type = "text-multi"; label = "Description"};
4267
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
19 {name = "info_url"; type = "text-single"; label = "Informative URL"; desc = "Link to information about your client"; datatype = "xs:anyURI"};
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
20 {
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
21 name = "redirect_uri";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
22 type = "text-single";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
23 label = "Redirection URI";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
24 desc = "Where to redirect the user after authorizing.";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
25 datatype = "xs:anyURI";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
26 required = true;
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
27 };
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 })
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 local client_created = dataforms.new({
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 title = "New OAuth2 client created";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 instructions = "Save these details, they will not be shown again";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 {var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#created"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 {name = "client_id"; type = "text-single"; label = "Client ID"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 {name = "client_secret"; type = "text-single"; label = "Client secret"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 })
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 local function create_client(client, formerr, data)
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 if formerr then
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 local errmsg = {"Error in form:"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 for field, err in pairs(formerr) do table.insert(errmsg, field .. ": " .. err); end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 return {status = "error"; error = {message = table.concat(errmsg, "\n")}};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 local creator = jid.split(data.from);
4268
871d140d61bb mod_adhoc_oauth2_client: Fix including final client_id in result form
Kim Alvefur <zash@zash.se>
parents: 4267
diff changeset
46 local client_uid = id.short();
871d140d61bb mod_adhoc_oauth2_client: Fix including final client_id in result form
Kim Alvefur <zash@zash.se>
parents: 4267
diff changeset
47 local client_id = jid.join(creator, module.host, client_uid);
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
48 local client_secret = id.long();
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
49 local salt = id.medium();
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
50 local i = iteration_count;
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
52 client.secret_hash = base64.encode(hashes.pbkdf2_hmac_sha256(client_secret, salt .. pepper, i));
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
53 client.iteration_count = i;
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
54 client.salt = salt;
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55
4268
871d140d61bb mod_adhoc_oauth2_client: Fix including final client_id in result form
Kim Alvefur <zash@zash.se>
parents: 4267
diff changeset
56 local ok, err = errors.coerce(clients:set(creator, client_uid, client));
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 module:log("info", "OAuth2 client %q created by %s", client_id, data.from);
4266
b43c6d614d22 mod_adhoc_oauth2_client: Fix adhoc status on error
Kim Alvefur <zash@zash.se>
parents: 4263
diff changeset
58 if not ok then return {status = "canceled"; error = {message = err}}; end
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59
4268
871d140d61bb mod_adhoc_oauth2_client: Fix including final client_id in result form
Kim Alvefur <zash@zash.se>
parents: 4267
diff changeset
60 return {status = "completed"; result = {layout = client_created; values = {client_id = client_id; client_secret = client_secret}}};
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63 local handler = adhoc.new_simple_form(new_client, create_client);
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65 module:provides("adhoc", module:require "adhoc".new(new_client.title, new_client[1].value, handler, "local_user"));
4262
6d7fb22c0440 mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents: 4261
diff changeset
66
6d7fb22c0440 mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents: 4261
diff changeset
67 -- TODO list/manage/revoke clients