prosody-modules: mod_http_oauth2/mod_http

annotate mod_http_oauth2/mod_http_oauth2.lua @ 5193:2bb29ece216b

mod_http_oauth2: Implement stateless dynamic client registration Replaces previous explicit registration that required either the additional module mod_adhoc_oauth2_client or manually editing the database. That method was enough to have something to test with, but would not probably not scale easily. Dynamic client registration allows creating clients on the fly, which may be even easier in theory. In order to not allow basically unauthenticated writes to the database, we implement a stateless model here. per_host_key := HMAC(config -> oauth2_registration_key, hostname) client_id := JWT { client metadata } signed with per_host_key client_secret := HMAC(per_host_key, client_id) This should ensure everything we need to know is part of the client_id, allowing redirects etc to be validated, and the client_secret can be validated with only the client_id and the per_host_key. A nonce injected into the client_id JWT should ensure nobody can submit the same client metadata and retrieve the same client_secret

author	Kim Alvefur <zash@zash.se>
date	Fri, 03 Mar 2023 21:14:19 +0100
parents	03aa9baa9ac3
children	25041e15994e

rev	line source
4263 d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	1 local hashes = require "util.hashes";
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	2 local cache = require "util.cache";
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	3 local http = require "util.http";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	4 local jid = require "util.jid";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	5 local json = require "util.json";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	6 local usermanager = require "core.usermanager";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	7 local errors = require "util.error";
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	8 local url = require "socket.url";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	9 local uuid = require "util.uuid";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	10 local encodings = require "util.encodings";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	11 local base64 = encodings.base64;
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	12 local schema = require "util.jsonschema";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	13 local jwt = require"util.jwt";
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	14
3915 80dffbbd056b mod_rest, mod_http_oauth2: Switch from mod_authtokens to mod_tokenauth per Prosody bf81523e2ff4 Matthew Wild <mwild1@gmail.com> parents: 3908 diff changeset	15 local tokens = module:depends("tokenauth");
3908 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3903 diff changeset	16
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	17 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration.
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	18 local registration_key = module:get_option_string("oauth2_registration_key");
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	19 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	20 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 });
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	21
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	22 local jwt_sign, jwt_verify;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	23 if not registration_key then
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	24 module:log("error", "Missing required 'oauth2_registration_key', generate a strong key and configure it")
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	25 else
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	26 -- Tie it to the host if global
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	27 registration_key = hashes.hmac_sha256(registration_key, module.host);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	28 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	29 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	30
4998 5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	31 local function filter_scopes(username, host, requested_scope_string)
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	32 if host ~= module.host then
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	33 return usermanager.get_jid_role(username.."@"..host, module.host).name;
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	34 end
4998 5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	35
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	36 if requested_scope_string then -- Specific role requested
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	37 -- TODO: The requested scope string is technically a space-delimited list
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	38 -- of scopes, but for simplicity we're mapping this slot to role names.
5006 5dadbe0718f1 mod_http_oauth2: Update for new new role API Matthew Wild <mwild1@gmail.com> parents: 4998 diff changeset	39 if usermanager.user_can_assume_role(username, module.host, requested_scope_string) then
4998 5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	40 return requested_scope_string;
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	41 end
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	42 end
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	43
5006 5dadbe0718f1 mod_http_oauth2: Update for new new role API Matthew Wild <mwild1@gmail.com> parents: 4998 diff changeset	44 return usermanager.get_user_role(username, module.host).name;
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	45 end
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	46
4669 d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	47 local function code_expires_in(code)
d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	48 return os.difftime(os.time(), code.issued);
d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	49 end
d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	50
4269 143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	51 local function code_expired(code)
4669 d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	52 return code_expires_in(code) > 120;
4269 143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	53 end
143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	54
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	55 local codes = cache.new(10000, function (_, code)
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	56 return code_expired(code)
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	57 end);
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	58
4272 91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	59 module:add_timer(900, function()
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	60 local k, code = codes:tail();
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	61 while code and code_expired(code) do
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	62 codes:set(k, nil);
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	63 k, code = codes:tail();
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	64 end
4669 d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	65 return code and code_expires_in(code) + 1 or 900;
4272 91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	66 end)
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	67
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	68 local function oauth_error(err_name, err_desc)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	69 return errors.new({
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	70 type = "modify";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	71 condition = "bad-request";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	72 code = err_name == "invalid_client" and 401 or 400;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	73 text = err_desc and (err_name..": "..err_desc) or err_name;
4276 ec33b3b1136c mod_http_oauth2: Fix passing OAuth-specific error details Kim Alvefur <zash@zash.se> parents: 4272 diff changeset	74 extra = { oauth2_response = { error = err_name, error_description = err_desc } };
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	75 });
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	76 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	77
3918 dea6bea2ddd3 mod_http_oauth2: Refactor re-joining of JID out of token constructor Kim Alvefur <zash@zash.se> parents: 3915 diff changeset	78 local function new_access_token(token_jid, scope, ttl)
5182 20ba6340f524 mod_http_oauth2: Issue tokens for the purpose of 'oauth2' Kim Alvefur <zash@zash.se> parents: 5181 diff changeset	79 local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, nil, "oauth2");
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	80 return {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	81 token_type = "bearer";
3908 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3903 diff changeset	82 access_token = token;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	83 expires_in = ttl;
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	84 scope = scope;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	85 -- TODO: include refresh_token when implemented
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	86 };
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	87 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	88
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	89 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	90 for _, redirect_uri in ipairs(client.redirect_uris) do
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	91 if query_redirect_uri == nil or query_redirect_uri == redirect_uri then
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	92 return redirect_uri
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	93 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	94 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	95 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	96
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	97 local grant_type_handlers = {};
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	98 local response_type_handlers = {};
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	99
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	100 function grant_type_handlers.password(params)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	101 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	102 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
3919 8ed261a08a9c mod_http_oauth2: Allow creation of full JID tokens Kim Alvefur <zash@zash.se> parents: 3918 diff changeset	103 local request_username, request_host, request_resource = jid.prepped_split(request_jid);
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	104
3908 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3903 diff changeset	105 if not (request_username and request_host) or request_host ~= module.host then
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	106 return oauth_error("invalid_request", "invalid JID");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	107 end
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	108 if not usermanager.test_password(request_username, request_host, request_password) then
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	109 return oauth_error("invalid_grant", "incorrect credentials");
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	110 end
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	111
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	112 local granted_jid = jid.join(request_username, request_host, request_resource);
4998 5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	113 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	114 return json.encode(new_access_token(granted_jid, granted_scopes, nil));
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	115 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	116
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	117 -- TODO response_type_handlers have some common boilerplate code, refactor?
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	118
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	119 function response_type_handlers.code(params, granted_jid)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	120 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	121
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	122 local ok, client = jwt_verify(params.client_id);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	123
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	124 if not ok then
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	125 return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	126 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	127
5191 f5a58cbe86e4 mod_http_oauth2: Derive scope from correct user details Kim Alvefur <zash@zash.se> parents: 5190 diff changeset	128 local request_username, request_host = jid.split(granted_jid);
f5a58cbe86e4 mod_http_oauth2: Derive scope from correct user details Kim Alvefur <zash@zash.se> parents: 5190 diff changeset	129 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	130
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	131 local code = uuid.generate();
4670 1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	132 local ok = codes:set(params.client_id .. "#" .. code, {
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	133 issued = os.time();
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	134 granted_jid = granted_jid;
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	135 granted_scopes = granted_scopes;
4670 1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	136 });
1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	137 if not ok then
1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	138 return {status_code = 429};
1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	139 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	140
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	141 local redirect_uri = get_redirect_uri(client, params.redirect_uri);
5188 7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	142 if redirect_uri == "urn:ietf:wg:oauth:2.0:oob" then
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	143 -- TODO some nicer template page
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	144 local response = { status_code = 200; headers = { content_type = "text/plain" } }
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	145 response.body = module:context("*"):fire_event("http-message", {
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	146 response = response;
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	147 title = "Your authorization code";
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	148 message = "Here's your authorization code, copy and paste it into your app:";
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	149 extra = code;
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	150 }) or ("Here's your authorization code:\n%s\n"):format(code);
5190 1733f184e2bb mod_http_oauth2: Fix to actually return OOB response Kim Alvefur <zash@zash.se> parents: 5189 diff changeset	151 return response;
5188 7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	152 end
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	153
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	154 local redirect = url.parse(redirect_uri);
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	155
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	156 local query = http.formdecode(redirect.query or "");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	157 if type(query) ~= "table" then query = {}; end
5192 03aa9baa9ac3 mod_http_oauth2: Add support for 'iss' authz response parameter (RFC 9207) Matthew Wild <mwild1@gmail.com> parents: 5191 diff changeset	158 table.insert(query, { name = "code", value = code });
03aa9baa9ac3 mod_http_oauth2: Add support for 'iss' authz response parameter (RFC 9207) Matthew Wild <mwild1@gmail.com> parents: 5191 diff changeset	159 table.insert(query, { name = "iss", value = module:http_url(nil, "/") });
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	160 if params.state then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	161 table.insert(query, { name = "state", value = params.state });
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	162 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	163 redirect.query = http.formencode(query);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	164
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	165 return {
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	166 status_code = 302;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	167 headers = {
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	168 location = url.build(redirect);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	169 };
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	170 }
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	171 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	172
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	173 -- Implicit flow
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	174 function response_type_handlers.token(params, granted_jid)
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	175 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	176
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	177 local client = jwt_verify(params.client_id);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	178
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	179 if not client then
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	180 return oauth_error("invalid_client", "incorrect credentials");
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	181 end
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	182
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	183 local request_username, request_host = jid.split(granted_jid);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	184 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	185 local token_info = new_access_token(granted_jid, granted_scopes, nil);
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	186
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	187 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	188 token_info.state = params.state;
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	189 redirect.fragment = http.formencode(token_info);
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	190
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	191 return {
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	192 status_code = 302;
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	193 headers = {
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	194 location = url.build(redirect);
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	195 };
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	196 }
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	197 end
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	198
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	199 local function make_secret(client_id) --> client_secret
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	200 return hashes.hmac_sha256(registration_key, client_id, true);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	201 end
4263 d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	202
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	203 local function verify_secret(client_id, client_secret)
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	204 return hashes.equals(make_secret(client_id), client_secret);
4263 d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	205 end
d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	206
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	207 function grant_type_handlers.authorization_code(params)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	208 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	209 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	210 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	211 if params.scope and params.scope ~= "" then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	212 return oauth_error("invalid_scope", "unknown scope requested");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	213 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	214
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	215 local client = jwt_verify(params.client_id);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	216 if not client then
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	217 return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	218 end
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	219
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	220 if not verify_secret(params.client_id, params.client_secret) then
4260 c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	221 module:log("debug", "client_secret mismatch");
c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	222 return oauth_error("invalid_client", "incorrect credentials");
c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	223 end
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	224 local code, err = codes:get(params.client_id .. "#" .. params.code);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	225 if err then error(err); end
4269 143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	226 if not code or type(code) ~= "table" or code_expired(code) then
4260 c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	227 module:log("debug", "authorization_code invalid or expired: %q", code);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	228 return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	229 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	230
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	231 return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil));
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	232 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	233
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	234 local function check_credentials(request, allow_token)
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	235 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	236
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	237 if auth_type == "Basic" then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	238 local creds = base64.decode(auth_data);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	239 if not creds then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	240 local username, password = string.match(creds, "^([^:]+):(.*)$");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	241 if not username then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	242 username, password = encodings.stringprep.nodeprep(username), encodings.stringprep.saslprep(password);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	243 if not username then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	244 if not usermanager.test_password(username, module.host, password) then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	245 return false;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	246 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	247 return username;
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	248 elseif auth_type == "Bearer" and allow_token then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	249 local token_info = tokens.get_token_info(auth_data);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	250 if not token_info or not token_info.session or token_info.session.host ~= module.host then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	251 return false;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	252 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	253 return token_info.session.username;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	254 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	255 return nil;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	256 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	257
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	258 if module:get_host_type() == "component" then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	259 local component_secret = assert(module:get_option_string("component_secret"), "'component_secret' is a required setting when loaded on a Component");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	260
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	261 function grant_type_handlers.password(params)
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	262 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	263 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	264 local request_username, request_host, request_resource = jid.prepped_split(request_jid);
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	265 if params.scope then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	266 return oauth_error("invalid_scope", "unknown scope requested");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	267 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	268 if not request_host or request_host ~= module.host then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	269 return oauth_error("invalid_request", "invalid JID");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	270 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	271 if request_password == component_secret then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	272 local granted_jid = jid.join(request_username, request_host, request_resource);
4257 145e8e8a247a mod_http_oauth2: Fix incomplete function arity change in dea6bea2ddd3 Kim Alvefur <zash@zash.se> parents: 4256 diff changeset	273 return json.encode(new_access_token(granted_jid, nil, nil));
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	274 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	275 return oauth_error("invalid_grant", "incorrect credentials");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	276 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	277
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	278 -- TODO How would this make sense with components?
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	279 -- Have an admin authenticate maybe?
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	280 response_type_handlers.code = nil;
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	281 response_type_handlers.token = nil;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	282 grant_type_handlers.authorization_code = nil;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	283 check_credentials = function () return false end
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	284 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	285
5187 6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	286 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"})
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	287 for handler_type in pairs(grant_type_handlers) do
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	288 if not allowed_grant_type_handlers:contains(handler_type) then
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	289 grant_type_handlers[handler_type] = nil;
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	290 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	291 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	292
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	293 -- "token" aka implicit flow is considered insecure
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	294 local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"})
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	295 for handler_type in pairs(allowed_response_type_handlers) do
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	296 if not allowed_grant_type_handlers:contains(handler_type) then
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	297 grant_type_handlers[handler_type] = nil;
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	298 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	299 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	300
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	301 function handle_token_grant(event)
3934 469408682152 mod_http_oauth2: Set content type on successful repsponses (fixes #1501) Kim Alvefur <zash@zash.se> parents: 3920 diff changeset	302 event.response.headers.content_type = "application/json";
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	303 local params = http.formdecode(event.request.body);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	304 if not params then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	305 return oauth_error("invalid_request");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	306 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	307 local grant_type = params.grant_type
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	308 local grant_handler = grant_type_handlers[grant_type];
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	309 if not grant_handler then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	310 return oauth_error("unsupported_grant_type");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	311 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	312 return grant_handler(params);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	313 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	314
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	315 local function handle_authorization_request(event)
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	316 local request, response = event.request, event.response;
cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	317 if not request.headers.authorization then
cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	318 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	319 return 401;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	320 end
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	321 local user = check_credentials(request);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	322 if not user then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	323 return 401;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	324 end
4265 7b4a73364363 mod_http_oauth2: Add TODO Kim Alvefur <zash@zash.se> parents: 4263 diff changeset	325 -- TODO ask user for consent here
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	326 if not request.url.query then
cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	327 response.headers.content_type = "application/json";
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	328 return oauth_error("invalid_request");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	329 end
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	330 local params = http.formdecode(request.url.query);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	331 if not params then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	332 return oauth_error("invalid_request");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	333 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	334 local response_type = params.response_type;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	335 local response_handler = response_type_handlers[response_type];
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	336 if not response_handler then
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	337 response.headers.content_type = "application/json";
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	338 return oauth_error("unsupported_response_type");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	339 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	340 return response_handler(params, jid.join(user, module.host));
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	341 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	342
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	343 local function handle_revocation_request(event)
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	344 local request, response = event.request, event.response;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	345 if not request.headers.authorization then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	346 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	347 return 401;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	348 elseif request.headers.content_type ~= "application/x-www-form-urlencoded"
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	349 or not request.body or request.body == "" then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	350 return 400;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	351 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	352 local user = check_credentials(request, true);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	353 if not user then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	354 return 401;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	355 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	356
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	357 local form_data = http.formdecode(event.request.body);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	358 if not form_data or not form_data.token then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	359 return 400;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	360 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	361 local ok, err = tokens.revoke_token(form_data.token);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	362 if not ok then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	363 module:log("warn", "Unable to revoke token: %s", tostring(err));
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	364 return 500;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	365 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	366 return 200;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	367 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	368
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	369 local registration_schema = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	370 type = "object";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	371 required = { "client_name"; "redirect_uris" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	372 properties = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	373 redirect_uris = { type = "array"; minLength = 1; items = { type = "string"; format = "uri" } };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	374 token_endpoint_auth_method = { enum = { "none"; "client_secret_post"; "client_secret_basic" }; type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	375 grant_types = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	376 items = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	377 enum = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	378 "authorization_code";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	379 "implicit";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	380 "password";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	381 "client_credentials";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	382 "refresh_token";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	383 "urn:ietf:params:oauth:grant-type:jwt-bearer";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	384 "urn:ietf:params:oauth:grant-type:saml2-bearer";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	385 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	386 type = "string";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	387 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	388 type = "array";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	389 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	390 response_types = { items = { enum = { "code"; "token" }; type = "string" }; type = "array" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	391 client_name = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	392 client_uri = { type = "string"; format = "uri" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	393 logo_uri = { type = "string"; format = "uri" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	394 scope = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	395 contacts = { items = { type = "string" }; type = "array" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	396 tos_uri = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	397 policy_uri = { type = "string"; format = "uri" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	398 jwks_uri = { type = "string"; format = "uri" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	399 jwks = { type = "object"; description = "JSON Web Key Set, RFC 7517" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	400 software_id = { type = "string"; format = "uuid" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	401 software_version = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	402 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	403 }
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	404
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	405 local function handle_register_request(event)
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	406 local request = event.request;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	407 local client_metadata = json.decode(request.body);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	408
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	409 if not schema.validate(registration_schema, client_metadata) then
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	410 return oauth_error("invalid_request", "Failed schema validation.");
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	411 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	412
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	413 -- Ensure each signed client_id JWT is unique
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	414 client_metadata.nonce = uuid.generate();
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	415
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	416 -- Do we want to keep everything?
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	417 local client_id = jwt_sign(client_metadata);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	418 local client_secret = make_secret(client_id);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	419
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	420 local client_desc = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	421 client_id = client_id;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	422 client_secret = client_secret;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	423 client_id_issued_at = os.time();
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	424 client_secret_expires_at = 0;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	425 }
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	426
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	427 return {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	428 status_code = 201;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	429 headers = { content_type = "application/json" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	430 body = json.encode(client_desc);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	431 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	432 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	433
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	434 if not registration_key then
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	435 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled")
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	436 handle_authorization_request = nil
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	437 handle_register_request = nil
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	438 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	439
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	440 module:depends("http");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	441 module:provides("http", {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	442 route = {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	443 ["POST /token"] = handle_token_grant;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	444 ["GET /authorize"] = handle_authorization_request;
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	445 ["POST /revoke"] = handle_revocation_request;
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	446 ["POST /register"] = handle_register_request;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	447 };
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	448 });
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	449
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	450 local http_server = require "net.http.server";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	451
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	452 module:hook_object_event(http_server, "http-error", function (event)
4276 ec33b3b1136c mod_http_oauth2: Fix passing OAuth-specific error details Kim Alvefur <zash@zash.se> parents: 4272 diff changeset	453 local oauth2_response = event.error and event.error.extra and event.error.extra.oauth2_response;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	454 if not oauth2_response then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	455 return;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	456 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	457 event.response.headers.content_type = "application/json";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	458 event.response.status_code = event.error.code or 400;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	459 return json.encode(oauth2_response);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	460 end, 5);
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	461
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	462 -- OIDC Discovery
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	463
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	464 module:provides("http", {
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	465 name = "oauth2-discovery";
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	466 default_path = "/.well-known/oauth-authorization-server";
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	467 route = {
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	468 ["GET"] = {
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	469 headers = { content_type = "application/json" };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	470 body = json.encode {
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	471 issuer = module:http_url(nil, "/");
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	472 authorization_endpoint = module:http_url() .. "/authorize";
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	473 token_endpoint = module:http_url() .. "/token";
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	474 jwks_uri = nil; -- TODO?
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	475 registration_endpoint = module:http_url() .. "/register";
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	476 scopes_supported = { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	477 response_types_supported = { "code"; "token" };
5192 03aa9baa9ac3 mod_http_oauth2: Add support for 'iss' authz response parameter (RFC 9207) Matthew Wild <mwild1@gmail.com> parents: 5191 diff changeset	478 authorization_response_iss_parameter_supported = true;
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	479 };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	480 };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	481 };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	482 });
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	483
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	484 module:shared("tokenauth/oauthbearer_config").oidc_discovery_url = module:http_url("oauth2-discovery", "/.well-known/oauth-authorization-server");

Mercurial > prosody-modules

annotate mod_http_oauth2/mod_http_oauth2.lua @ 5193:2bb29ece216b