annotate mod_auth_custom_http/mod_auth_custom_http.lua @ 5193:2bb29ece216b

mod_http_oauth2: Implement stateless dynamic client registration Replaces previous explicit registration that required either the additional module mod_adhoc_oauth2_client or manually editing the database. That method was enough to have something to test with, but would not probably not scale easily. Dynamic client registration allows creating clients on the fly, which may be even easier in theory. In order to not allow basically unauthenticated writes to the database, we implement a stateless model here. per_host_key := HMAC(config -> oauth2_registration_key, hostname) client_id := JWT { client metadata } signed with per_host_key client_secret := HMAC(per_host_key, client_id) This should ensure everything we need to know is part of the client_id, allowing redirects etc to be validated, and the client_secret can be validated with only the client_id and the per_host_key. A nonce injected into the client_id JWT should ensure nobody can submit the same client metadata and retrieve the same client_secret
author Kim Alvefur <zash@zash.se>
date Fri, 03 Mar 2023 21:14:19 +0100
parents 32d7f05e062f
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1043
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
1 -- Prosody IM
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2008-2010 Waqas Hussain
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
3 --
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
4 -- This project is MIT/X11 licensed. Please see the
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
5 -- COPYING file in the source package for more information.
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
6 --
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
7
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
8 local new_sasl = require "util.sasl".new;
2867
94d8960385aa mod_auth_custom_http: Fix json.encode impoper reference
Senya <senya@kinetiksoft.com>
parents: 1343
diff changeset
9 local json = require "util.json";
3989
32d7f05e062f mod_auth_custom_http: Unlock globals while loading socket.http
Matthew Wild <mwild1@gmail.com>
parents: 2867
diff changeset
10 prosody.unlock_globals();
1046
b9d47487d550 mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents: 1045
diff changeset
11 local http = require "socket.http";
3989
32d7f05e062f mod_auth_custom_http: Unlock globals while loading socket.http
Matthew Wild <mwild1@gmail.com>
parents: 2867
diff changeset
12 prosody.lock_globals();
1046
b9d47487d550 mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents: 1045
diff changeset
13
b9d47487d550 mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents: 1045
diff changeset
14 local options = module:get_option("auth_custom_http");
b9d47487d550 mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents: 1045
diff changeset
15 local post_url = options and options.post_url;
b9d47487d550 mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents: 1045
diff changeset
16 assert(post_url, "No HTTP POST URL provided");
1043
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
17
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
18 local provider = {};
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
19
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
20 function provider.test_password(username, password)
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
21 return nil, "Not supported"
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
22 end
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
23
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
24 function provider.get_password(username)
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
25 return nil, "Not supported"
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
26 end
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
27
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
28 function provider.set_password(username, password)
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
29 return nil, "Not supported"
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
30 end
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
31
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
32 function provider.user_exists(username)
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
33 return true;
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
34 end
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
35
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
36 function provider.create_user(username, password)
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
37 return nil, "Not supported"
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
38 end
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
39
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
40 function provider.delete_user(username)
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
41 return nil, "Not supported"
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
42 end
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
43
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
44 function provider.get_sasl_handler()
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
45 local getpass_authentication_profile = {
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
46 plain_test = function(sasl, username, password, realm)
2867
94d8960385aa mod_auth_custom_http: Fix json.encode impoper reference
Senya <senya@kinetiksoft.com>
parents: 1343
diff changeset
47 local postdata = json.encode({ username = username, password = password });
1046
b9d47487d550 mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents: 1045
diff changeset
48 local result = http.request(post_url, postdata);
1043
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
49 return result == "true", true;
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
50 end,
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
51 };
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
52 return new_sasl(module.host, getpass_authentication_profile);
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
53 end
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1046
diff changeset
54
1043
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
55
809f7d46ad5c mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
56 module:provides("auth", provider);