annotate mod_auth_oauth_external/mod_auth_oauth_external.lua @ 5549:01a0b67a9afd

mod_http_oauth2: Add TODO about disabling password grant Per recommendation in draft-ietf-oauth-security-topics-23 it should at the very least be disabled by default. However since this is used by the Snikket web portal some care needs to be taken not to break this, unless it's already broken by other changes to this module.
author Kim Alvefur <zash@zash.se>
date Fri, 16 Jun 2023 00:06:53 +0200
parents 4e79f344ae2f
children 0207fd248480
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local http = require "net.http";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local async = require "util.async";
5433
b40299bbdf14 mod_auth_oauth_external: Fix missing import of util.jid
Kim Alvefur <zash@zash.se>
parents: 5346
diff changeset
3 local jid = require "util.jid";
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local json = require "util.json";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local sasl = require "util.sasl";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
5346
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
7 local issuer_identity = module:get_option_string("oauth_external_issuer");
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
8 local oidc_discovery_url = module:get_option_string("oauth_external_discovery_url",
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
9 issuer_identity and issuer_identity .. "/.well-known/oauth-authorization-server" or nil);
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local validation_endpoint = module:get_option_string("oauth_external_validation_endpoint");
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
11 local token_endpoint = module:get_option_string("oauth_external_token_endpoint");
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local username_field = module:get_option_string("oauth_external_username_field", "preferred_username");
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
14 local allow_plain = module:get_option_boolean("oauth_external_resource_owner_password", true);
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 -- XXX Hold up, does whatever done here even need any of these things? Are we
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 -- the OAuth client? Is the XMPP client the OAuth client? What are we???
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
18 local client_id = module:get_option_string("oauth_external_client_id");
5435
b3e7886fea6a mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents: 5434
diff changeset
19 local client_secret = module:get_option_string("oauth_external_client_secret");
5436
e7d99bacd0e8 mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents: 5435
diff changeset
20 local scope = module:get_option_string("oauth_external_scope", "openid");
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 --[[ More or less required endpoints
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 digraph "oauth endpoints" {
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 issuer -> discovery -> { registration validation }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 registration -> { client_id client_secret }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 { client_id client_secret validation } -> required
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 --]]
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 local host = module.host;
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 local provider = {};
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
33 local function not_implemented()
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
34 return nil, "method not implemented"
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
35 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
36
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
37 -- With proper OAuth 2, most of these should be handled at the atuhorization
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
38 -- server, no there.
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
39 provider.test_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
40 provider.get_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
41 provider.set_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
42 provider.create_user = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
43 provider.delete_user = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
44
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
45 function provider.user_exists(_username)
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
46 -- Can this even be done in a generic way in OAuth 2?
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
47 -- OIDC and WebFinger perhaps?
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
48 return true;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
49 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
50
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
51 function provider.users()
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
52 -- TODO this could be done by recording known users locally
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
53 return function ()
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
54 module:log("debug", "User iteration not supported");
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
55 return nil;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
56 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
57 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
58
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 function provider.get_sasl_handler()
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 local profile = {};
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 profile.http_client = http.default; -- TODO configurable
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62 local extra = { oidc_discovery_url = oidc_discovery_url };
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
63 if token_endpoint and allow_plain then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
64 local map_username = function (username, _realm) return username; end; --jid.join; -- TODO configurable
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
65 function profile:plain_test(username, password, realm)
5437
49306afbf722 mod_auth_oauth_external: Expect XEP-0106 escaped username in PLAIN
Kim Alvefur <zash@zash.se>
parents: 5436
diff changeset
66 username = jid.unescape(username); -- COMPAT Mastodon
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
67 local tok, err = async.wait_for(self.profile.http_client:request(token_endpoint, {
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
68 headers = { ["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"; ["Accept"] = "application/json" };
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
69 body = http.formencode({
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
70 grant_type = "password";
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
71 client_id = client_id;
5435
b3e7886fea6a mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents: 5434
diff changeset
72 client_secret = client_secret;
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
73 username = map_username(username, realm);
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
74 password = password;
5436
e7d99bacd0e8 mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents: 5435
diff changeset
75 scope = scope;
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
76 });
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
77 }))
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
78 if err or not (tok.code >= 200 and tok.code < 300) then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
79 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
80 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
81 local token_resp = json.decode(tok.body);
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
82 if not token_resp or string.lower(token_resp.token_type or "") ~= "bearer" then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
83 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
84 end
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
85 if not validation_endpoint then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
86 -- We're not going to get more info, only the username
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
87 self.username = jid.escape(username);
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
88 self.token_info = token_resp;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
89 return true, true;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
90 end
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
91 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint,
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
92 { headers = { ["Authorization"] = "Bearer " .. token_resp.access_token; ["Accept"] = "application/json" } }));
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
93 if err then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
94 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
95 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
96 if not (ret.code >= 200 and ret.code < 300) then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
97 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
98 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
99 local response = json.decode(ret.body);
5440
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
100 if type(response) ~= "table" then
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
101 return false, nil, nil;
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
102 elseif type(response[username_field]) ~= "string" then
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
103 return false, nil, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
104 end
5440
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
105 self.username = jid.escape(response[username_field]);
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
106 self.token_info = response;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
107 return true, true;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
108 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
109 end
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
110 if validation_endpoint then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
111 function profile:oauthbearer(token)
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
112 if token == "" then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
113 return false, nil, extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
114 end
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
115
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
116 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, {
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
117 headers = { ["Authorization"] = "Bearer " .. token; ["Accept"] = "application/json" };
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
118 }));
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
119 if err then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
120 return false, nil, extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
121 end
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
122 local response = ret and json.decode(ret.body);
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
123 if not (ret.code >= 200 and ret.code < 300) then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
124 return false, nil, response or extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
125 end
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
126 if type(response) ~= "table" or type(response[username_field]) ~= "string" then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
127 return false, nil, nil;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
128 end
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
129
5443
4e79f344ae2f mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents: 5442
diff changeset
130 return jid.escape(response[username_field]), true, response;
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
131 end
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
132 end
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
133 return sasl.new(host, profile);
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
134 end
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
135
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
136 module:provides("auth", provider);