prosody-modules: mod_sasl_oauthbearer/mod_sasl

annotate mod_sasl_oauthbearer/mod_sasl_oauthbearer.lua @ 5616:59d5fc50f602

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics

author	Kim Alvefur <zash@zash.se>
date	Sun, 23 Jul 2023 02:56:08 +0200
parents	73ada978dabc
children

rev	line source
3114 73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	1 local s_match = string.match;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	2 local registerMechanism = require "util.sasl".registerMechanism;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	3 local saslprep = require "util.encodings".stringprep.saslprep;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	4 local nodeprep = require "util.encodings".stringprep.nodeprep;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	5 local log = require "util.logger".init("sasl");
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	6 local _ENV = nil;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	7
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	8
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	9 local function oauthbearer(self, message)
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	10 if not message then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	11 return "failure", "malformed-request";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	12 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	13
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	14 local authorization, password = s_match(message, "^n,a=([^,]*),\1auth=Bearer ([^\1]+)");
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	15 if not authorization then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	16 return "failure", "malformed-request";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	17 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	18
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	19 local authentication = s_match(authorization, "(.-)@.*");
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	20
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	21 -- SASLprep password and authentication
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	22 authentication = saslprep(authentication);
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	23 password = saslprep(password);
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	24
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	25 if (not password) or (password == "") or (not authentication) or (authentication == "") then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	26 log("debug", "Username or password violates SASLprep.");
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	27 return "failure", "malformed-request", "Invalid username or password.";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	28 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	29
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	30 local _nodeprep = self.profile.nodeprep;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	31 if _nodeprep ~= false then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	32 authentication = (_nodeprep or nodeprep)(authentication);
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	33 if not authentication or authentication == "" then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	34 return "failure", "malformed-request", "Invalid username or password."
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	35 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	36 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	37
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	38 local correct, state = false, false;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	39 correct, state = self.profile.oauthbearer(self, authentication, password, self.realm);
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	40
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	41 self.username = authentication
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	42 if state == false then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	43 return "failure", "account-disabled";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	44 elseif state == nil or not correct then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	45 return "failure", "not-authorized", "Unable to authorize you with the authentication credentials you've sent.";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	46 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	47 return "success";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	48 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	49
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer JC Brand <jc@opkode.com> parents: diff changeset	50 registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);

Mercurial > prosody-modules

annotate mod_sasl_oauthbearer/mod_sasl_oauthbearer.lua @ 5616:59d5fc50f602