prosody-modules: mod_http_oauth2/mod_http

annotate mod_http_oauth2/mod_http_oauth2.lua @ 5585:5b316088bef5

mod_rest: Use logger of HTTP request in trunk In Prosody trunk rev c975dafa4303 each HTTP request gained its own log sink, to make it easy to log things related to each request and group those messages. Especially where async is used, spreading the request and response apart as mod_rest does with iq stanzas, this grouped logging should help find related messages.

author	Kim Alvefur <zash@zash.se>
date	Fri, 07 Jul 2023 00:10:37 +0200
parents	feadbd481285
children	7040d0772758

rev	line source
5501 57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	1 local usermanager = require "core.usermanager";
57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	2 local url = require "socket.url";
57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	3 local array = require "util.array";
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	4 local cache = require "util.cache";
5501 57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	5 local encodings = require "util.encodings";
57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	6 local errors = require "util.error";
57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	7 local hashes = require "util.hashes";
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	8 local http = require "util.http";
5501 57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	9 local id = require "util.id";
57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	10 local it = require "util.iterators";
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	11 local jid = require "util.jid";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	12 local json = require "util.json";
5501 57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	13 local schema = require "util.jsonschema";
57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	14 local jwt = require "util.jwt";
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	15 local random = require "util.random";
5209 942f8a2f722d mod_http_oauth2: Allow non-HTTPS on localhost URLs Matthew Wild <mwild1@gmail.com> parents: 5208 diff changeset	16 local set = require "util.set";
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	17 local st = require "util.stanza";
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	18
5501 57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	19 local base64 = encodings.base64;
57ce8c4017e7 mod_http_oauth2: Sort imports Kim Alvefur <zash@zash.se> parents: 5495 diff changeset	20
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	21 local function b64url(s)
5392 c0a6f39caf47 mod_http_oauth2: Fix missing base64 part of base64url (Thanks KeyCloak) Kim Alvefur <zash@zash.se> parents: 5391 diff changeset	22 return (base64.encode(s):gsub("[+/=]", { ["+"] = "-", ["/"] = "_", ["="] = "" }))
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	23 end
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	24
5400 71766a4a7322 mod_http_oauth2: Reduce line count of metadata construction Kim Alvefur <zash@zash.se> parents: 5399 diff changeset	25 local function tmap(t)
71766a4a7322 mod_http_oauth2: Reduce line count of metadata construction Kim Alvefur <zash@zash.se> parents: 5399 diff changeset	26 return function(k)
71766a4a7322 mod_http_oauth2: Reduce line count of metadata construction Kim Alvefur <zash@zash.se> parents: 5399 diff changeset	27 return t[k];
71766a4a7322 mod_http_oauth2: Reduce line count of metadata construction Kim Alvefur <zash@zash.se> parents: 5399 diff changeset	28 end
71766a4a7322 mod_http_oauth2: Reduce line count of metadata construction Kim Alvefur <zash@zash.se> parents: 5399 diff changeset	29 end
71766a4a7322 mod_http_oauth2: Reduce line count of metadata construction Kim Alvefur <zash@zash.se> parents: 5399 diff changeset	30
5513 0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	31 local function strict_formdecode(query)
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	32 if not query then
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	33 return nil;
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	34 end
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	35 local params = http.formdecode(query);
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	36 if type(params) ~= "table" then
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	37 return nil, "no-pairs";
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	38 end
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	39 local dups = {};
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	40 for _, pair in ipairs(params) do
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	41 if dups[pair.name] then
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	42 return nil, "duplicate";
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	43 end
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	44 dups[pair.name] = true;
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	45 end
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	46 return params;
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	47 end
0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	48
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	49 local function read_file(base_path, fn, required)
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	50 local f, err = io.open(base_path .. "/" .. fn);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	51 if not f then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	52 module:log(required and "error" or "debug", "Unable to load template file: %s", err);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	53 if required then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	54 return error("Failed to load templates");
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	55 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	56 return nil;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	57 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	58 local data = assert(f:read("*a"));
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	59 assert(f:close());
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	60 return data;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	61 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	62
5554 90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	63 local allowed_locales = module:get_option_array("allowed_oauth2_locales", {});
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	64 -- TODO Allow translations or per-locale templates somehow.
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	65
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	66 local template_path = module:get_option_path("oauth2_template_path", "html");
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	67 local templates = {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	68 login = read_file(template_path, "login.html", true);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	69 consent = read_file(template_path, "consent.html", true);
5495 7998b49d6512 mod_http_oauth2: Create proper template for OOB code delivery Kim Alvefur <zash@zash.se> parents: 5480 diff changeset	70 oob = read_file(template_path, "oob.html", true);
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	71 error = read_file(template_path, "error.html", true);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	72 css = read_file(template_path, "style.css");
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	73 js = read_file(template_path, "script.js");
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	74 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	75
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	76 local site_name = module:get_option_string("site_name", module.host);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	77
5547 d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5544 diff changeset	78 local security_policy = module:get_option_string("oauth2_security_policy", "default-src 'self'");
d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5544 diff changeset	79
5544 cb141088eff0 mod_http_oauth2: Remove underscore prefix Kim Alvefur <zash@zash.se> parents: 5526 diff changeset	80 local render_html = require"util.interpolation".new("%b{}", st.xml_escape);
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	81 local function render_page(template, data, sensitive)
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	82 data = data or {};
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	83 data.site_name = site_name;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	84 local resp = {
5470 40c990159006 mod_http_oauth2: Use error status code when rendering error page Kim Alvefur <zash@zash.se> parents: 5469 diff changeset	85 status_code = data.error and data.error.code or 200;
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	86 headers = {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	87 ["Content-Type"] = "text/html; charset=utf-8";
5547 d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5544 diff changeset	88 ["Content-Security-Policy"] = security_policy;
5479 30e2722c9fa3 mod_http_oauth2: Disable Referrer via header Kim Alvefur <zash@zash.se> parents: 5478 diff changeset	89 ["Referrer-Policy"] = "no-referrer";
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	90 ["X-Frame-Options"] = "DENY";
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	91 ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private";
5509 ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	92 ["Pragma"] = "no-cache";
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	93 };
5544 cb141088eff0 mod_http_oauth2: Remove underscore prefix Kim Alvefur <zash@zash.se> parents: 5526 diff changeset	94 body = render_html(template, data);
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	95 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	96 return resp;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	97 end
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	98
5502 fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	99 local authorization_server_metadata = nil;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	100
3915 80dffbbd056b mod_rest, mod_http_oauth2: Switch from mod_authtokens to mod_tokenauth per Prosody bf81523e2ff4 Matthew Wild <mwild1@gmail.com> parents: 3908 diff changeset	101 local tokens = module:depends("tokenauth");
3908 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3903 diff changeset	102
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	103 local default_access_ttl = module:get_option_number("oauth2_access_token_ttl", 86400);
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	104 local default_refresh_ttl = module:get_option_number("oauth2_refresh_token_ttl", nil);
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	105
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	106 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration.
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	107 local registration_key = module:get_option_string("oauth2_registration_key");
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	108 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");
5416 2393dbae51ed mod_http_oauth2: Add option for specifying TTL of registered clients Kim Alvefur <zash@zash.se> parents: 5409 diff changeset	109 local registration_ttl = module:get_option("oauth2_registration_ttl", nil);
2393dbae51ed mod_http_oauth2: Add option for specifying TTL of registered clients Kim Alvefur <zash@zash.se> parents: 5409 diff changeset	110 local registration_options = module:get_option("oauth2_registration_options",
2393dbae51ed mod_http_oauth2: Add option for specifying TTL of registered clients Kim Alvefur <zash@zash.se> parents: 5409 diff changeset	111 { default_ttl = registration_ttl; accept_expired = not registration_ttl });
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	112
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	113 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false);
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	114
5199 f48628dc83f1 mod_http_oauth2: Separate client_secret verification key from JWT key Kim Alvefur <zash@zash.se> parents: 5198 diff changeset	115 local verification_key;
5459 260a859be86a mod_http_oauth2: Rename variables to improve clarity Kim Alvefur <zash@zash.se> parents: 5458 diff changeset	116 local sign_client, verify_client;
5196 6b63af56c8ac mod_http_oauth2: Remove error message Kim Alvefur <zash@zash.se> parents: 5195 diff changeset	117 if registration_key then
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	118 -- Tie it to the host if global
5199 f48628dc83f1 mod_http_oauth2: Separate client_secret verification key from JWT key Kim Alvefur <zash@zash.se> parents: 5198 diff changeset	119 verification_key = hashes.hmac_sha256(registration_key, module.host);
5459 260a859be86a mod_http_oauth2: Rename variables to improve clarity Kim Alvefur <zash@zash.se> parents: 5458 diff changeset	120 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options);
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	121 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	122
5510 a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	123 -- verify and prepare client structure
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	124 local function check_client(client_id)
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	125 if not verify_client then
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	126 return nil, "client-registration-not-enabled";
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	127 end
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	128
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	129 local ok, client = verify_client(client_id);
5511 0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	130 if not ok then
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	131 return ok, client;
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	132 end
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	133
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	134 client.client_hash = b64url(hashes.sha256(client_id));
5510 a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	135 return client;
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	136 end
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	137
5449 9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	138 -- scope : string \| array \| set
9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	139 --
9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	140 -- at each step, allow the same or a subset of scopes
9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	141 -- (all ( client ( grant ( token ) ) ))
9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	142 -- preserve order since it determines role if more than one granted
9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	143
9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	144 -- string -> array
5254 b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	145 local function parse_scopes(scope_string)
b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	146 return array(scope_string:gmatch("%S+"));
b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	147 end
b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	148
5502 fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	149 local openid_claims = set.new();
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	150 module:add_item("openid-claim", "openid");
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	151
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	152 module:handle_items("openid-claim", function(event)
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	153 authorization_server_metadata = nil;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	154 openid_claims:add(event.item);
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	155 end, function()
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	156 authorization_server_metadata = nil;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	157 openid_claims = set.new(module:get_host_items("openid-claim"));
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	158 end, true);
5337 8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	159
5449 9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	160 -- array -> array, array, array
5417 3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	161 local function split_scopes(scope_list)
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	162 local claims, roles, unknown = array(), array(), array();
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	163 local all_roles = usermanager.get_all_roles(module.host);
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	164 for _, scope in ipairs(scope_list) do
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	165 if openid_claims:contains(scope) then
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	166 claims:push(scope);
5467 1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5466 diff changeset	167 elseif scope == "xmpp" or all_roles[scope] then
5417 3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	168 roles:push(scope);
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	169 else
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	170 unknown:push(scope);
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	171 end
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	172 end
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	173 return claims, roles, unknown;
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	174 end
5254 b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	175
5417 3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	176 local function can_assume_role(username, requested_role)
5467 1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5466 diff changeset	177 return requested_role == "xmpp" or usermanager.user_can_assume_role(username, module.host, requested_role);
5417 3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	178 end
3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	179
5449 9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	180 -- function (string) : function(string) : boolean
5427 d69c10327d6d mod_http_oauth2: More functional functions Kim Alvefur <zash@zash.se> parents: 5426 diff changeset	181 local function role_assumable_by(username)
d69c10327d6d mod_http_oauth2: More functional functions Kim Alvefur <zash@zash.se> parents: 5426 diff changeset	182 return function(role)
d69c10327d6d mod_http_oauth2: More functional functions Kim Alvefur <zash@zash.se> parents: 5426 diff changeset	183 return can_assume_role(username, role);
d69c10327d6d mod_http_oauth2: More functional functions Kim Alvefur <zash@zash.se> parents: 5426 diff changeset	184 end
d69c10327d6d mod_http_oauth2: More functional functions Kim Alvefur <zash@zash.se> parents: 5426 diff changeset	185 end
d69c10327d6d mod_http_oauth2: More functional functions Kim Alvefur <zash@zash.se> parents: 5426 diff changeset	186
5449 9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	187 -- string, array --> array
5426 f75d95f27da7 mod_http_oauth2: Add function for filtering roles Kim Alvefur <zash@zash.se> parents: 5425 diff changeset	188 local function user_assumable_roles(username, requested_roles)
5427 d69c10327d6d mod_http_oauth2: More functional functions Kim Alvefur <zash@zash.se> parents: 5426 diff changeset	189 return array.filter(requested_roles, role_assumable_by(username));
5426 f75d95f27da7 mod_http_oauth2: Add function for filtering roles Kim Alvefur <zash@zash.se> parents: 5425 diff changeset	190 end
f75d95f27da7 mod_http_oauth2: Add function for filtering roles Kim Alvefur <zash@zash.se> parents: 5425 diff changeset	191
5449 9c19a6b8e542 mod_http_oauth2: Describe type signatures of scope handling functions Kim Alvefur <zash@zash.se> parents: 5448 diff changeset	192 -- string, string\|nil --> string, string
5417 3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	193 local function filter_scopes(username, requested_scope_string)
5428 07e166b34c4c mod_http_oauth2: Simplify code with the power of first class functions Kim Alvefur <zash@zash.se> parents: 5427 diff changeset	194 local requested_scopes, requested_roles = split_scopes(parse_scopes(requested_scope_string or ""));
5417 3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	195
5428 07e166b34c4c mod_http_oauth2: Simplify code with the power of first class functions Kim Alvefur <zash@zash.se> parents: 5427 diff changeset	196 local granted_roles = user_assumable_roles(username, requested_roles);
07e166b34c4c mod_http_oauth2: Simplify code with the power of first class functions Kim Alvefur <zash@zash.se> parents: 5427 diff changeset	197 local granted_scopes = requested_scopes + granted_roles;
5417 3902082c42c4 mod_http_oauth2: Refactor scope handling into smaller functions Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	198
5428 07e166b34c4c mod_http_oauth2: Simplify code with the power of first class functions Kim Alvefur <zash@zash.se> parents: 5427 diff changeset	199 local selected_role = granted_roles[1];
5254 b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	200
b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	201 return granted_scopes:concat(" "), selected_role;
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	202 end
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	203
5213 dc0f502c12f1 mod_http_oauth2: Fix authorization code logic Kim Alvefur <zash@zash.se> parents: 5210 diff changeset	204 local function code_expires_in(code) --> number, seconds until code expires
dc0f502c12f1 mod_http_oauth2: Fix authorization code logic Kim Alvefur <zash@zash.se> parents: 5210 diff changeset	205 return os.difftime(code.expires, os.time());
4669 d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	206 end
d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	207
5213 dc0f502c12f1 mod_http_oauth2: Fix authorization code logic Kim Alvefur <zash@zash.se> parents: 5210 diff changeset	208 local function code_expired(code) --> boolean, true: has expired, false: still valid
dc0f502c12f1 mod_http_oauth2: Fix authorization code logic Kim Alvefur <zash@zash.se> parents: 5210 diff changeset	209 return code_expires_in(code) < 0;
4269 143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	210 end
143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	211
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	212 local codes = cache.new(10000, function (_, code)
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	213 return code_expired(code)
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	214 end);
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	215
5213 dc0f502c12f1 mod_http_oauth2: Fix authorization code logic Kim Alvefur <zash@zash.se> parents: 5210 diff changeset	216 -- Periodically clear out unredeemed codes. Does not need to be exact, expired
dc0f502c12f1 mod_http_oauth2: Fix authorization code logic Kim Alvefur <zash@zash.se> parents: 5210 diff changeset	217 -- codes are rejected if tried. Mostly just to keep memory usage in check.
5354 39d59d857bfb mod_http_oauth2: Use new mod_cron API for periodic cleanup Kim Alvefur <zash@zash.se> parents: 5341 diff changeset	218 module:hourly("Clear expired authorization codes", function()
4272 91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	219 local k, code = codes:tail();
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	220 while code and code_expired(code) do
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	221 codes:set(k, nil);
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	222 k, code = codes:tail();
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	223 end
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	224 end)
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	225
5207 c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	226 local function get_issuer()
c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	227 return (module:http_url(nil, "/"):gsub("/$", ""));
c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	228 end
c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	229
5458 813fe4f76286 mod_http_oauth2: Do minimal validation of private-use URI schemes Kim Alvefur <zash@zash.se> parents: 5457 diff changeset	230 -- Non-standard special redirect URI that has the AS show the authorization
813fe4f76286 mod_http_oauth2: Do minimal validation of private-use URI schemes Kim Alvefur <zash@zash.se> parents: 5457 diff changeset	231 -- code to the user for them to copy-paste into the client, which can then
813fe4f76286 mod_http_oauth2: Do minimal validation of private-use URI schemes Kim Alvefur <zash@zash.se> parents: 5457 diff changeset	232 -- continue as if it received it via redirect.
813fe4f76286 mod_http_oauth2: Do minimal validation of private-use URI schemes Kim Alvefur <zash@zash.se> parents: 5457 diff changeset	233 local oob_uri = "urn:ietf:wg:oauth:2.0:oob";
813fe4f76286 mod_http_oauth2: Do minimal validation of private-use URI schemes Kim Alvefur <zash@zash.se> parents: 5457 diff changeset	234
5209 942f8a2f722d mod_http_oauth2: Allow non-HTTPS on localhost URLs Matthew Wild <mwild1@gmail.com> parents: 5208 diff changeset	235 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
942f8a2f722d mod_http_oauth2: Allow non-HTTPS on localhost URLs Matthew Wild <mwild1@gmail.com> parents: 5208 diff changeset	236
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	237 local function oauth_error(err_name, err_desc)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	238 return errors.new({
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	239 type = "modify";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	240 condition = "bad-request";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	241 code = err_name == "invalid_client" and 401 or 400;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	242 text = err_desc and (err_name..": "..err_desc) or err_name;
4276 ec33b3b1136c mod_http_oauth2: Fix passing OAuth-specific error details Kim Alvefur <zash@zash.se> parents: 4272 diff changeset	243 extra = { oauth2_response = { error = err_name, error_description = err_desc } };
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	244 });
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	245 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	246
5248 b8b2bf0c1b4b mod_http_oauth2: Record details of OAuth client a token is issued to Kim Alvefur <zash@zash.se> parents: 5247 diff changeset	247 -- client_id / client_metadata are pretty large, filter out a subset of
b8b2bf0c1b4b mod_http_oauth2: Record details of OAuth client a token is issued to Kim Alvefur <zash@zash.se> parents: 5247 diff changeset	248 -- properties that are deemed useful e.g. in case tokens issued to a certain
b8b2bf0c1b4b mod_http_oauth2: Record details of OAuth client a token is issued to Kim Alvefur <zash@zash.se> parents: 5247 diff changeset	249 -- client needs to be revoked
b8b2bf0c1b4b mod_http_oauth2: Record details of OAuth client a token is issued to Kim Alvefur <zash@zash.se> parents: 5247 diff changeset	250 local function client_subset(client)
5511 0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	251 return {
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	252 name = client.client_name;
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	253 uri = client.client_uri;
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	254 id = client.software_id;
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	255 version = client.software_version;
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	256 hash = client.client_hash;
0860497152af mod_http_oauth2: Record hash of client_id to allow future verification Kim Alvefur <zash@zash.se> parents: 5510 diff changeset	257 };
5248 b8b2bf0c1b4b mod_http_oauth2: Record details of OAuth client a token is issued to Kim Alvefur <zash@zash.se> parents: 5247 diff changeset	258 end
b8b2bf0c1b4b mod_http_oauth2: Record details of OAuth client a token is issued to Kim Alvefur <zash@zash.se> parents: 5247 diff changeset	259
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	260 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info)
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	261 local token_data = { oauth2_scopes = scope_string, oauth2_client = nil };
5248 b8b2bf0c1b4b mod_http_oauth2: Record details of OAuth client a token is issued to Kim Alvefur <zash@zash.se> parents: 5247 diff changeset	262 if client then
5254 b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	263 token_data.oauth2_client = client_subset(client);
5248 b8b2bf0c1b4b mod_http_oauth2: Record details of OAuth client a token is issued to Kim Alvefur <zash@zash.se> parents: 5247 diff changeset	264 end
5254 b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	265 if next(token_data) == nil then
b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	266 token_data = nil;
b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	267 end
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	268
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	269 local refresh_token;
5280 eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	270 local grant = refresh_token_info and refresh_token_info.grant;
eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	271 if not grant then
eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	272 -- No existing grant, create one
eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	273 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data);
eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	274 -- Create refresh token for the grant if desired
eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	275 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh");
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	276 else
5280 eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	277 -- Grant exists, reuse existing refresh token
eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	278 refresh_token = refresh_token_info.token;
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	279 end
5280 eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	280
5467 1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5466 diff changeset	281 if role == "xmpp" then
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5466 diff changeset	282 -- Special scope meaning the users default role.
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5466 diff changeset	283 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host);
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5466 diff changeset	284 role = user_default_role and user_default_role.name;
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5466 diff changeset	285 end
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5466 diff changeset	286
5451 6705f2a09702 mod_http_oauth2: Reference grant by id instead of value Kim Alvefur <zash@zash.se> parents: 5450 diff changeset	287 local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2");
5280 eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	288
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	289 local expires_at = access_token_info.expires;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	290 return {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	291 token_type = "bearer";
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	292 access_token = access_token;
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	293 expires_in = expires_at and (expires_at - os.time()) or nil;
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	294 scope = scope_string;
5257 b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	295 id_token = id_token;
5280 eb482defd9b0 mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86 Matthew Wild <mwild1@gmail.com> parents: 5279 diff changeset	296 refresh_token = refresh_token or nil;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	297 };
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	298 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	299
5461 06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	300 local function normalize_loopback(uri)
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	301 local u = url.parse(uri);
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	302 if u.scheme == "http" and loopbacks:contains(u.host) then
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	303 u.authority = nil;
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	304 u.host = "::1";
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	305 u.port = nil;
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	306 return url.build(u);
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	307 end
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	308 -- else, not a valid loopback uri
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	309 end
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	310
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	311 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
5219 25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	312 if not query_redirect_uri then
25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	313 if #client.redirect_uris ~= 1 then
25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	314 -- Client registered multiple URIs, it needs specify which one to use
25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	315 return;
25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	316 end
25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	317 -- When only a single URI is registered, that's the default
25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	318 return client.redirect_uris[1];
25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	319 end
25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	320 -- Verify the client-provided URI matches one previously registered
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	321 for _, redirect_uri in ipairs(client.redirect_uris) do
5219 25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	322 if query_redirect_uri == redirect_uri then
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	323 return redirect_uri
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	324 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	325 end
5461 06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	326 -- The authorization server MUST allow any port to be specified at the time
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	327 -- of the request for loopback IP redirect URIs, to accommodate clients that
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	328 -- obtain an available ephemeral port from the operating system at the time
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	329 -- of the request.
5460 c0d62c1b4424 mod_http_oauth2: Add FIXME about loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5459 diff changeset	330 -- https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#section-8.4.2
5461 06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	331 local loopback_redirect_uri = normalize_loopback(query_redirect_uri);
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	332 if loopback_redirect_uri then
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	333 for _, redirect_uri in ipairs(client.redirect_uris) do
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	334 if loopback_redirect_uri == normalize_loopback(redirect_uri) then
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	335 return query_redirect_uri;
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	336 end
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	337 end
06640647d193 mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Kim Alvefur <zash@zash.se> parents: 5460 diff changeset	338 end
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	339 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	340
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	341 local grant_type_handlers = {};
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	342 local response_type_handlers = {};
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	343 local verifier_transforms = {};
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	344
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	345 function grant_type_handlers.password(params)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	346 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	347 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
3919 8ed261a08a9c mod_http_oauth2: Allow creation of full JID tokens Kim Alvefur <zash@zash.se> parents: 3918 diff changeset	348 local request_username, request_host, request_resource = jid.prepped_split(request_jid);
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	349
3908 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3903 diff changeset	350 if not (request_username and request_host) or request_host ~= module.host then
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	351 return oauth_error("invalid_request", "invalid JID");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	352 end
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	353 if not usermanager.test_password(request_username, request_host, request_password) then
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	354 return oauth_error("invalid_grant", "incorrect credentials");
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	355 end
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	356
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	357 local granted_jid = jid.join(request_username, request_host, request_resource);
5256 44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	358 local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	359 return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil));
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	360 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	361
5257 b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	362 function response_type_handlers.code(client, params, granted_jid, id_token)
5191 f5a58cbe86e4 mod_http_oauth2: Derive scope from correct user details Kim Alvefur <zash@zash.se> parents: 5190 diff changeset	363 local request_username, request_host = jid.split(granted_jid);
5256 44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	364 if not request_host or request_host ~= module.host then
44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	365 return oauth_error("invalid_request", "invalid JID");
44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	366 end
44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	367 local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	368
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	369 if pkce_required and not params.code_challenge then
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	370 return oauth_error("invalid_request", "PKCE required");
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	371 end
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	372
5243 d5dc8edb2695 mod_http_oauth2: Use more compact IDs Kim Alvefur <zash@zash.se> parents: 5242 diff changeset	373 local code = id.medium();
4670 1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	374 local ok = codes:set(params.client_id .. "#" .. code, {
5213 dc0f502c12f1 mod_http_oauth2: Fix authorization code logic Kim Alvefur <zash@zash.se> parents: 5210 diff changeset	375 expires = os.time() + 600;
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	376 granted_jid = granted_jid;
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	377 granted_scopes = granted_scopes;
5254 b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	378 granted_role = granted_role;
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	379 challenge = params.code_challenge;
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	380 challenge_method = params.code_challenge_method;
5257 b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	381 id_token = id_token;
4670 1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	382 });
1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	383 if not ok then
5476 575f52b15f5a mod_http_oauth2: Return OAuth error for authz code store error Kim Alvefur <zash@zash.se> parents: 5475 diff changeset	384 return oauth_error("temporarily_unavailable");
4670 1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	385 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	386
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	387 local redirect_uri = get_redirect_uri(client, params.redirect_uri);
5458 813fe4f76286 mod_http_oauth2: Do minimal validation of private-use URI schemes Kim Alvefur <zash@zash.se> parents: 5457 diff changeset	388 if redirect_uri == oob_uri then
5495 7998b49d6512 mod_http_oauth2: Create proper template for OOB code delivery Kim Alvefur <zash@zash.se> parents: 5480 diff changeset	389 return render_page(templates.oob, { client = client; authorization_code = code }, true);
5219 25e824f64fd3 mod_http_oauth2: Improve handling of redirect_uri matching and fallback Matthew Wild <mwild1@gmail.com> parents: 5218 diff changeset	390 elseif not redirect_uri then
5462 f6d8830a83fe mod_http_oauth2: Return proper OAuth error for invalid redirect URI Kim Alvefur <zash@zash.se> parents: 5461 diff changeset	391 return oauth_error("invalid_redirect_uri");
5188 7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	392 end
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	393
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	394 local redirect = url.parse(redirect_uri);
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	395
5513 0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	396 local query = strict_formdecode(redirect.query);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	397 if type(query) ~= "table" then query = {}; end
5192 03aa9baa9ac3 mod_http_oauth2: Add support for 'iss' authz response parameter (RFC 9207) Matthew Wild <mwild1@gmail.com> parents: 5191 diff changeset	398 table.insert(query, { name = "code", value = code });
5207 c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	399 table.insert(query, { name = "iss", value = get_issuer() });
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	400 if params.state then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	401 table.insert(query, { name = "state", value = params.state });
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	402 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	403 redirect.query = http.formencode(query);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	404
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	405 return {
5210 898575a0c6f3 mod_http_oauth2: Switch to '303 See Other' redirects Matthew Wild <mwild1@gmail.com> parents: 5209 diff changeset	406 status_code = 303;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	407 headers = {
5509 ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	408 cache_control = "no-store";
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	409 pragma = "no-cache";
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	410 location = url.build(redirect);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	411 };
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	412 }
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	413 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	414
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	415 -- Implicit flow
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	416 function response_type_handlers.token(client, params, granted_jid)
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	417 local request_username, request_host = jid.split(granted_jid);
5256 44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	418 if not request_host or request_host ~= module.host then
44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	419 return oauth_error("invalid_request", "invalid JID");
44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	420 end
44f7edd4f845 mod_http_oauth2: Reject non-local hosts in more code paths Kim Alvefur <zash@zash.se> parents: 5255 diff changeset	421 local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	422 local token_info = new_access_token(granted_jid, granted_role, granted_scopes, client, nil);
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	423
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	424 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
5463 dacde53467f3 mod_http_oauth2: Proper OAuth error for invalid redirect URI in implicit flow too Kim Alvefur <zash@zash.se> parents: 5462 diff changeset	425 if not redirect then return oauth_error("invalid_redirect_uri"); end
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	426 token_info.state = params.state;
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	427 redirect.fragment = http.formencode(token_info);
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	428
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	429 return {
5210 898575a0c6f3 mod_http_oauth2: Switch to '303 See Other' redirects Matthew Wild <mwild1@gmail.com> parents: 5209 diff changeset	430 status_code = 303;
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	431 headers = {
5509 ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	432 cache_control = "no-store";
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	433 pragma = "no-cache";
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	434 location = url.build(redirect);
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	435 };
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	436 }
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	437 end
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	438
5262 e73f364b5624 mod_http_oauth2: Rename oauth client credential related functions Kim Alvefur <zash@zash.se> parents: 5259 diff changeset	439 local function make_client_secret(client_id) --> client_secret
5199 f48628dc83f1 mod_http_oauth2: Separate client_secret verification key from JWT key Kim Alvefur <zash@zash.se> parents: 5198 diff changeset	440 return hashes.hmac_sha256(verification_key, client_id, true);
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	441 end
4263 d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	442
5262 e73f364b5624 mod_http_oauth2: Rename oauth client credential related functions Kim Alvefur <zash@zash.se> parents: 5259 diff changeset	443 local function verify_client_secret(client_id, client_secret)
e73f364b5624 mod_http_oauth2: Rename oauth client credential related functions Kim Alvefur <zash@zash.se> parents: 5259 diff changeset	444 return hashes.equals(make_client_secret(client_id), client_secret);
4263 d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	445 end
d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	446
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	447 function grant_type_handlers.authorization_code(params)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	448 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	449 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	450 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	451 if params.scope and params.scope ~= "" then
5450 d2594bbf7c36 mod_http_oauth2: Scope FIXMEs Kim Alvefur <zash@zash.se> parents: 5449 diff changeset	452 -- FIXME allow a subset of granted scopes
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	453 return oauth_error("invalid_scope", "unknown scope requested");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	454 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	455
5510 a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	456 local client = check_client(params.client_id);
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	457 if not client then
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	458 return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	459 end
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	460
5262 e73f364b5624 mod_http_oauth2: Rename oauth client credential related functions Kim Alvefur <zash@zash.se> parents: 5259 diff changeset	461 if not verify_client_secret(params.client_id, params.client_secret) then
4260 c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	462 module:log("debug", "client_secret mismatch");
c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	463 return oauth_error("invalid_client", "incorrect credentials");
c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	464 end
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	465 local code, err = codes:get(params.client_id .. "#" .. params.code);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	466 if err then error(err); end
5214 d5492bc861f6 mod_http_oauth2: Remove authorization codes after use Kim Alvefur <zash@zash.se> parents: 5213 diff changeset	467 -- MUST NOT use the authorization code more than once, so remove it to
d5492bc861f6 mod_http_oauth2: Remove authorization codes after use Kim Alvefur <zash@zash.se> parents: 5213 diff changeset	468 -- prevent a second attempted use
5550 4fda06be6b08 mod_http_oauth2: Make note about handling repeated Kim Alvefur <zash@zash.se> parents: 5549 diff changeset	469 -- TODO if a second attempt is made, revoke any tokens issued
5214 d5492bc861f6 mod_http_oauth2: Remove authorization codes after use Kim Alvefur <zash@zash.se> parents: 5213 diff changeset	470 codes:set(params.client_id .. "#" .. params.code, nil);
4269 143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	471 if not code or type(code) ~= "table" or code_expired(code) then
4260 c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	472 module:log("debug", "authorization_code invalid or expired: %q", code);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	473 return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	474 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	475
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	476 -- TODO Decide if the code should be removed or not when PKCE fails
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	477 local transform = verifier_transforms[code.challenge_method or "plain"];
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	478 if not transform then
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	479 return oauth_error("invalid_request", "unknown challenge transform method");
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	480 elseif transform(params.code_verifier) ~= code.challenge then
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	481 return oauth_error("invalid_grant", "incorrect credentials");
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	482 end
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	483
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	484 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token));
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	485 end
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	486
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	487 function grant_type_handlers.refresh_token(params)
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	488 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	489 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	490 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	491
5510 a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	492 local client = check_client(params.client_id);
a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	493 if not client then
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	494 return oauth_error("invalid_client", "incorrect credentials");
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	495 end
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	496
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	497 if not verify_client_secret(params.client_id, params.client_secret) then
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	498 module:log("debug", "client_secret mismatch");
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	499 return oauth_error("invalid_client", "incorrect credentials");
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	500 end
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	501
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	502 local refresh_token_info = tokens.get_token_info(params.refresh_token);
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	503 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	504 return oauth_error("invalid_grant", "invalid refresh token");
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	505 end
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	506
5512 1fbc8718bed6 mod_http_oauth2: Bind refresh tokens to client Kim Alvefur <zash@zash.se> parents: 5511 diff changeset	507 local refresh_token_client = refresh_token_info.grant.data.oauth2_client;
1fbc8718bed6 mod_http_oauth2: Bind refresh tokens to client Kim Alvefur <zash@zash.se> parents: 5511 diff changeset	508 if not refresh_token_client.hash or refresh_token_client.hash ~= client.client_hash then
1fbc8718bed6 mod_http_oauth2: Bind refresh tokens to client Kim Alvefur <zash@zash.se> parents: 5511 diff changeset	509 module:log("warn", "OAuth client %q (%s) tried to use refresh token belonging to %q (%s)", client.client_name, client.client_hash,
1fbc8718bed6 mod_http_oauth2: Bind refresh tokens to client Kim Alvefur <zash@zash.se> parents: 5511 diff changeset	510 refresh_token_client.name, refresh_token_client.hash);
1fbc8718bed6 mod_http_oauth2: Bind refresh tokens to client Kim Alvefur <zash@zash.se> parents: 5511 diff changeset	511 return oauth_error("unauthorized_client", "incorrect credentials");
1fbc8718bed6 mod_http_oauth2: Bind refresh tokens to client Kim Alvefur <zash@zash.se> parents: 5511 diff changeset	512 end
1fbc8718bed6 mod_http_oauth2: Bind refresh tokens to client Kim Alvefur <zash@zash.se> parents: 5511 diff changeset	513
5446 dd7bddc87f98 mod_http_oauth2: Fix inclusion of role in refreshed access tokens Kim Alvefur <zash@zash.se> parents: 5445 diff changeset	514 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes;
5448 9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	515
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	516 if params.scope then
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	517 local granted_scopes = set.new(parse_scopes(refresh_scopes));
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	518 local requested_scopes = parse_scopes(params.scope);
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	519 refresh_scopes = array.filter(requested_scopes, function(scope)
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	520 return granted_scopes:contains(scope);
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	521 end):concat(" ");
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	522 end
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	523
9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	524 local username = jid.split(refresh_token_info.jid);
5446 dd7bddc87f98 mod_http_oauth2: Fix inclusion of role in refreshed access tokens Kim Alvefur <zash@zash.se> parents: 5445 diff changeset	525 local new_scopes, role = filter_scopes(username, refresh_scopes);
dd7bddc87f98 mod_http_oauth2: Fix inclusion of role in refreshed access tokens Kim Alvefur <zash@zash.se> parents: 5445 diff changeset	526
5279 2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	527 -- new_access_token() requires the actual token
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	528 refresh_token_info.token = params.refresh_token;
2b858cccac8f mod_http_oauth2: Add support for refresh tokens Matthew Wild <mwild1@gmail.com> parents: 5278 diff changeset	529
5448 9d542e86e19a mod_http_oauth2: Allow requesting a subset of scopes on token refresh Kim Alvefur <zash@zash.se> parents: 5447 diff changeset	530 return json.encode(new_access_token(refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info));
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	531 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	532
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	533 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	534
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	535 function verifier_transforms.plain(code_verifier)
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	536 -- code_challenge = code_verifier
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	537 return code_verifier;
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	538 end
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	539
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	540 function verifier_transforms.S256(code_verifier)
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	541 -- code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
5391 4aedce4fb95d mod_http_oauth2: Fix accidental uppercase in invocation of hash function Kim Alvefur <zash@zash.se> parents: 5390 diff changeset	542 return code_verifier and b64url(hashes.sha256(code_verifier));
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	543 end
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5382 diff changeset	544
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	545 -- Used to issue/verify short-lived tokens for the authorization process below
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	546 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 });
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	547
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	548 -- From the given request, figure out if the user is authenticated and has granted consent yet
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	549 -- As this requires multiple steps (seek credentials, seek consent), we have a lot of state to
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	550 -- carry around across requests. We also need to protect against CSRF and session mix-up attacks
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	551 -- (e.g. the user may have multiple concurrent flows in progress, session cookies aren't unique
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	552 -- to one of them).
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	553 -- Our strategy here is to preserve the original query string (containing the authz request), and
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	554 -- encode the rest of the flow in form POSTs.
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	555 local function get_auth_state(request)
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	556 local form = request.method == "POST"
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	557 and request.body
5276 67777cb7353d mod_http_oauth2: Pedantic optimization Kim Alvefur <zash@zash.se> parents: 5273 diff changeset	558 and request.body ~= ""
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	559 and request.headers.content_type == "application/x-www-form-urlencoded"
5514 61b8d3eb91a4 mod_http_oauth2: Revert strict form check to allow consent of multiple scopes Kim Alvefur <zash@zash.se> parents: 5513 diff changeset	560 and http.formdecode(request.body);
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	561
5277 a1055024b94e mod_http_oauth2: Stricten check of urlencoded form data Kim Alvefur <zash@zash.se> parents: 5276 diff changeset	562 if type(form) ~= "table" then return {}; end
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	563
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	564 if not form.user_token then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	565 -- First step: login
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	566 local username = encodings.stringprep.nodeprep(form.username);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	567 local password = encodings.stringprep.saslprep(form.password);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	568 if not (username and password) or not usermanager.test_password(username, module.host, password) then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	569 return {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	570 error = "Invalid username/password";
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	571 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	572 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	573 return {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	574 user = {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	575 username = username;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	576 host = module.host;
5519 83ebfc367169 mod_http_oauth2: Return Authentication Time per OpenID Core Section 2 Kim Alvefur <zash@zash.se> parents: 5518 diff changeset	577 token = new_user_token({ username = username; host = module.host; auth_time = os.time() });
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	578 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	579 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	580 elseif form.user_token and form.consent then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	581 -- Second step: consent
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	582 local ok, user = verify_user_token(form.user_token);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	583 if not ok then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	584 return {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	585 error = user == "token-expired" and "Session expired - try again" or nil;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	586 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	587 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	588
5447 aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	589 local scopes = array():append(form):filter(function(field)
5424 b45d9a81b3da mod_http_oauth2: Revert role selector, going to try something else Kim Alvefur <zash@zash.se> parents: 5423 diff changeset	590 return field.name == "scope";
5447 aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	591 end):pluck("value");
5271 3a1df3adad0c mod_http_oauth2: Allow user to decide which requested scopes to grant Kim Alvefur <zash@zash.se> parents: 5268 diff changeset	592
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	593 user.token = form.user_token;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	594 return {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	595 user = user;
5447 aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	596 scopes = scopes;
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	597 consent = form.consent == "granted";
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	598 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	599 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	600
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	601 return {};
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	602 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	603
5222 578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	604 local function get_request_credentials(request)
5224 cd5cf4cc6304 mod_http_oauth2: Fail early when no authorization header present Matthew Wild <mwild1@gmail.com> parents: 5223 diff changeset	605 if not request.headers.authorization then return; end
cd5cf4cc6304 mod_http_oauth2: Fail early when no authorization header present Matthew Wild <mwild1@gmail.com> parents: 5223 diff changeset	606
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	607 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	608
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	609 if auth_type == "Basic" then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	610 local creds = base64.decode(auth_data);
5222 578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	611 if not creds then return; end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	612 local username, password = string.match(creds, "^([^:]+):(.*)$");
5222 578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	613 if not username then return; end
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	614 return {
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	615 type = "basic";
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	616 username = username;
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	617 password = password;
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	618 };
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	619 elseif auth_type == "Bearer" then
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	620 return {
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	621 type = "bearer";
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	622 bearer_token = auth_data;
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	623 };
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	624 end
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	625
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	626 return nil;
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	627 end
578a72982bb2 mod_http_oauth2: Separate extracting credentials from requests and verifying Matthew Wild <mwild1@gmail.com> parents: 5221 diff changeset	628
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	629 if module:get_host_type() == "component" then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	630 local component_secret = assert(module:get_option_string("component_secret"), "'component_secret' is a required setting when loaded on a Component");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	631
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	632 function grant_type_handlers.password(params)
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	633 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	634 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	635 local request_username, request_host, request_resource = jid.prepped_split(request_jid);
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	636 if params.scope then
5450 d2594bbf7c36 mod_http_oauth2: Scope FIXMEs Kim Alvefur <zash@zash.se> parents: 5449 diff changeset	637 -- TODO shouldn't we support scopes / roles here?
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	638 return oauth_error("invalid_scope", "unknown scope requested");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	639 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	640 if not request_host or request_host ~= module.host then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	641 return oauth_error("invalid_request", "invalid JID");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	642 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	643 if request_password == component_secret then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	644 local granted_jid = jid.join(request_username, request_host, request_resource);
5254 b0ccdd12a70d mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes Kim Alvefur <zash@zash.se> parents: 5252 diff changeset	645 return json.encode(new_access_token(granted_jid, nil, nil, nil));
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	646 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	647 return oauth_error("invalid_grant", "incorrect credentials");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	648 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	649
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	650 -- TODO How would this make sense with components?
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	651 -- Have an admin authenticate maybe?
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	652 response_type_handlers.code = nil;
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	653 response_type_handlers.token = nil;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	654 grant_type_handlers.authorization_code = nil;
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	655 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	656
5472 b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	657 local function render_error(err)
b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	658 return render_page(templates.error, { error = err });
b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	659 end
b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	660
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	661 -- OAuth errors should be returned to the client if possible, i.e. by
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	662 -- appending the error information to the redirect_uri and sending the
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	663 -- redirect to the user-agent. In some cases we can't do this, e.g. if
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	664 -- the redirect_uri is missing or invalid. In those cases, we render an
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	665 -- error directly to the user-agent.
5477 5986e0edd7a3 mod_http_oauth2: Use validated redirect URI when returning errors to client Kim Alvefur <zash@zash.se> parents: 5476 diff changeset	666 local function error_response(request, redirect_uri, err)
5478 af105c7a24b2 mod_http_oauth2: Always render errors as HTML for OOB redirect URI Kim Alvefur <zash@zash.se> parents: 5477 diff changeset	667 if not redirect_uri or redirect_uri == oob_uri then
5472 b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	668 return render_error(err);
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	669 end
5513 0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	670 local q = strict_formdecode(request.url.query);
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	671 local redirect_query = url.parse(redirect_uri);
5229 c24a622a7b85 mod_http_oauth2: Fix appending of query parts in error redirects Kim Alvefur <zash@zash.se> parents: 5228 diff changeset	672 local sep = redirect_query.query and "&" or "?";
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	673 redirect_uri = redirect_uri
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	674 .. sep .. http.formencode(err.extra.oauth2_response)
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	675 .. "&" .. http.formencode({ state = q.state, iss = get_issuer() });
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	676 module:log("warn", "Sending error response to client via redirect to %s", redirect_uri);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	677 return {
5210 898575a0c6f3 mod_http_oauth2: Switch to '303 See Other' redirects Matthew Wild <mwild1@gmail.com> parents: 5209 diff changeset	678 status_code = 303;
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	679 headers = {
5509 ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	680 cache_control = "no-store";
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	681 pragma = "no-cache";
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	682 location = redirect_uri;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	683 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	684 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	685 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	686
5549 01a0b67a9afd mod_http_oauth2: Add TODO about disabling password grant Kim Alvefur <zash@zash.se> parents: 5548 diff changeset	687 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {
01a0b67a9afd mod_http_oauth2: Add TODO about disabling password grant Kim Alvefur <zash@zash.se> parents: 5548 diff changeset	688 "authorization_code";
01a0b67a9afd mod_http_oauth2: Add TODO about disabling password grant Kim Alvefur <zash@zash.se> parents: 5548 diff changeset	689 "password"; -- TODO Disable. The resource owner password credentials grant [RFC6749] MUST NOT be used.
01a0b67a9afd mod_http_oauth2: Add TODO about disabling password grant Kim Alvefur <zash@zash.se> parents: 5548 diff changeset	690 "refresh_token";
01a0b67a9afd mod_http_oauth2: Add TODO about disabling password grant Kim Alvefur <zash@zash.se> parents: 5548 diff changeset	691 })
5187 6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	692 for handler_type in pairs(grant_type_handlers) do
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	693 if not allowed_grant_type_handlers:contains(handler_type) then
5230 ac252db71027 mod_http_oauth2: Log flows enabled and disabled Kim Alvefur <zash@zash.se> parents: 5229 diff changeset	694 module:log("debug", "Grant type %q disabled", handler_type);
5187 6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	695 grant_type_handlers[handler_type] = nil;
5230 ac252db71027 mod_http_oauth2: Log flows enabled and disabled Kim Alvefur <zash@zash.se> parents: 5229 diff changeset	696 else
ac252db71027 mod_http_oauth2: Log flows enabled and disabled Kim Alvefur <zash@zash.se> parents: 5229 diff changeset	697 module:log("debug", "Grant type %q enabled", handler_type);
5187 6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	698 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	699 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	700
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	701 -- "token" aka implicit flow is considered insecure
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	702 local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"})
5198 2e8a7a0f932d mod_http_oauth2: Fix response type config Kim Alvefur <zash@zash.se> parents: 5196 diff changeset	703 for handler_type in pairs(response_type_handlers) do
2e8a7a0f932d mod_http_oauth2: Fix response type config Kim Alvefur <zash@zash.se> parents: 5196 diff changeset	704 if not allowed_response_type_handlers:contains(handler_type) then
5230 ac252db71027 mod_http_oauth2: Log flows enabled and disabled Kim Alvefur <zash@zash.se> parents: 5229 diff changeset	705 module:log("debug", "Response type %q disabled", handler_type);
5231 bef543068077 mod_http_oauth2: Fix to disable disabled response handlers correctly Kim Alvefur <zash@zash.se> parents: 5230 diff changeset	706 response_type_handlers[handler_type] = nil;
5230 ac252db71027 mod_http_oauth2: Log flows enabled and disabled Kim Alvefur <zash@zash.se> parents: 5229 diff changeset	707 else
ac252db71027 mod_http_oauth2: Log flows enabled and disabled Kim Alvefur <zash@zash.se> parents: 5229 diff changeset	708 module:log("debug", "Response type %q enabled", handler_type);
5187 6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	709 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	710 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	711
5384 b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	712 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" })
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	713 for handler_type in pairs(verifier_transforms) do
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	714 if not allowed_challenge_methods:contains(handler_type) then
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	715 module:log("debug", "Challenge method %q disabled", handler_type);
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	716 verifier_transforms[handler_type] = nil;
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	717 else
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	718 module:log("debug", "Challenge method %q enabled", handler_type);
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	719 end
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	720 end
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	721
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	722 function handle_token_grant(event)
5223 8b2a36847912 mod_http_oauth2: Support HTTP Basic auth on token endpoint Matthew Wild <mwild1@gmail.com> parents: 5222 diff changeset	723 local credentials = get_request_credentials(event.request);
8b2a36847912 mod_http_oauth2: Support HTTP Basic auth on token endpoint Matthew Wild <mwild1@gmail.com> parents: 5222 diff changeset	724
3934 469408682152 mod_http_oauth2: Set content type on successful repsponses (fixes #1501) Kim Alvefur <zash@zash.se> parents: 3920 diff changeset	725 event.response.headers.content_type = "application/json";
5509 ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	726 event.response.headers.cache_control = "no-store";
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	727 event.response.headers.pragma = "no-cache";
5513 0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	728 local params = strict_formdecode(event.request.body);
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	729 if not params then
5474 d0b93105b289 mod_http_oauth2: Don't return redirects or HTML from token endpoint Kim Alvefur <zash@zash.se> parents: 5473 diff changeset	730 return oauth_error("invalid_request");
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	731 end
5223 8b2a36847912 mod_http_oauth2: Support HTTP Basic auth on token endpoint Matthew Wild <mwild1@gmail.com> parents: 5222 diff changeset	732
5225 3439eb37f23b mod_http_oauth2: token endpoint: handle missing credentials Matthew Wild <mwild1@gmail.com> parents: 5224 diff changeset	733 if credentials and credentials.type == "basic" then
5385 544b92750a2a mod_http_oauth2: Advertise supported token endpoint auth methods Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	734 -- client_secret_basic converted internally to client_secret_post
5223 8b2a36847912 mod_http_oauth2: Support HTTP Basic auth on token endpoint Matthew Wild <mwild1@gmail.com> parents: 5222 diff changeset	735 params.client_id = http.urldecode(credentials.username);
8b2a36847912 mod_http_oauth2: Support HTTP Basic auth on token endpoint Matthew Wild <mwild1@gmail.com> parents: 5222 diff changeset	736 params.client_secret = http.urldecode(credentials.password);
8b2a36847912 mod_http_oauth2: Support HTTP Basic auth on token endpoint Matthew Wild <mwild1@gmail.com> parents: 5222 diff changeset	737 end
8b2a36847912 mod_http_oauth2: Support HTTP Basic auth on token endpoint Matthew Wild <mwild1@gmail.com> parents: 5222 diff changeset	738
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	739 local grant_type = params.grant_type
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	740 local grant_handler = grant_type_handlers[grant_type];
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	741 if not grant_handler then
5474 d0b93105b289 mod_http_oauth2: Don't return redirects or HTML from token endpoint Kim Alvefur <zash@zash.se> parents: 5473 diff changeset	742 return oauth_error("invalid_request");
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	743 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	744 return grant_handler(params);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	745 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	746
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	747 local function handle_authorization_request(event)
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	748 local request = event.request;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	749
5472 b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	750 -- Directly returning errors to the user before we have a validated client object
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	751 if not request.url.query then
5472 b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	752 return render_error(oauth_error("invalid_request", "Missing query parameters"));
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	753 end
5513 0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	754 local params = strict_formdecode(request.url.query);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	755 if not params then
5472 b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	756 return render_error(oauth_error("invalid_request", "Invalid query parameters"));
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	757 end
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	758
5471 d4d333cb75b2 mod_http_oauth2: Clarify some error messages Kim Alvefur <zash@zash.se> parents: 5470 diff changeset	759 if not params.client_id then
5472 b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	760 return render_error(oauth_error("invalid_request", "Missing 'client_id' parameter"));
5471 d4d333cb75b2 mod_http_oauth2: Clarify some error messages Kim Alvefur <zash@zash.se> parents: 5470 diff changeset	761 end
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	762
5510 a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	763 local client = check_client(params.client_id);
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	764
5510 a49d73e4262e mod_http_oauth2: Add client verification wrapper function Kim Alvefur <zash@zash.se> parents: 5509 diff changeset	765 if not client then
5472 b80b6947b079 mod_http_oauth2: Always show early errors to user Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	766 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter"));
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	767 end
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	768
5477 5986e0edd7a3 mod_http_oauth2: Use validated redirect URI when returning errors to client Kim Alvefur <zash@zash.se> parents: 5476 diff changeset	769 local redirect_uri = get_redirect_uri(client, params.redirect_uri);
5986e0edd7a3 mod_http_oauth2: Use validated redirect URI when returning errors to client Kim Alvefur <zash@zash.se> parents: 5476 diff changeset	770 if not redirect_uri then
5475 022733437fef mod_http_oauth2: Validate redirect_uri before using it for error redirects Kim Alvefur <zash@zash.se> parents: 5474 diff changeset	771 return render_error(oauth_error("invalid_request", "Invalid 'redirect_uri' parameter"));
022733437fef mod_http_oauth2: Validate redirect_uri before using it for error redirects Kim Alvefur <zash@zash.se> parents: 5474 diff changeset	772 end
022733437fef mod_http_oauth2: Validate redirect_uri before using it for error redirects Kim Alvefur <zash@zash.se> parents: 5474 diff changeset	773 -- From this point we know that redirect_uri is safe to use
022733437fef mod_http_oauth2: Validate redirect_uri before using it for error redirects Kim Alvefur <zash@zash.se> parents: 5474 diff changeset	774
5405 c7a5caad28ef mod_http_oauth2: Enforce response type encoded in client_id Kim Alvefur <zash@zash.se> parents: 5404 diff changeset	775 local client_response_types = set.new(array(client.response_types or { "code" }));
c7a5caad28ef mod_http_oauth2: Enforce response type encoded in client_id Kim Alvefur <zash@zash.se> parents: 5404 diff changeset	776 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers);
c7a5caad28ef mod_http_oauth2: Enforce response type encoded in client_id Kim Alvefur <zash@zash.se> parents: 5404 diff changeset	777 if not client_response_types:contains(params.response_type) then
5477 5986e0edd7a3 mod_http_oauth2: Use validated redirect URI when returning errors to client Kim Alvefur <zash@zash.se> parents: 5476 diff changeset	778 return error_response(request, redirect_uri, oauth_error("invalid_client", "'response_type' not allowed"));
5405 c7a5caad28ef mod_http_oauth2: Enforce response type encoded in client_id Kim Alvefur <zash@zash.se> parents: 5404 diff changeset	779 end
c7a5caad28ef mod_http_oauth2: Enforce response type encoded in client_id Kim Alvefur <zash@zash.se> parents: 5404 diff changeset	780
5447 aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	781 local requested_scopes = parse_scopes(params.scope or "");
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	782 if client.scope then
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	783 local client_scopes = set.new(parse_scopes(client.scope));
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	784 requested_scopes:filter(function(scope)
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	785 return client_scopes:contains(scope);
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	786 end);
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	787 end
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	788
5518 d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	789 -- The 'prompt' parameter from OpenID Core
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	790 local prompt = set.new(parse_scopes(params.prompt or "select_account login consent"));
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	791 if prompt:contains("none") then
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	792 -- Client wants no interaction, only confirmation of prior login and
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	793 -- consent, but this is not implemented.
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	794 return error_response(request, redirect_uri, oauth_error("interaction_required"));
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	795 elseif not prompt:contains("select_account") then
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	796 -- TODO If the login page is split into account selection followed by login
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	797 -- (e.g. password), and then the account selection could be skipped iff the
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	798 -- 'login_hint' parameter is present.
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	799 return error_response(request, redirect_uri, oauth_error("account_selection_required"));
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	800 elseif not prompt:contains("login") then
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	801 -- Currently no cookies or such are used, so login is required every time.
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	802 return error_response(request, redirect_uri, oauth_error("login_required"));
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	803 elseif not prompt:contains("consent") then
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	804 -- Are there any circumstances when consent would be implied or assumed?
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	805 return error_response(request, redirect_uri, oauth_error("consent_required"));
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	806 end
d87d0e4a8516 mod_http_oauth2: Validate the OpenID 'prompt' parameter Kim Alvefur <zash@zash.se> parents: 5514 diff changeset	807
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	808 local auth_state = get_auth_state(request);
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	809 if not auth_state.user then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	810 -- Render login page
5466 398d936e77fb mod_http_oauth2: Add support for the OpenID 'login_hint' parameter Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	811 local extra = {};
398d936e77fb mod_http_oauth2: Add support for the OpenID 'login_hint' parameter Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	812 if params.login_hint then
398d936e77fb mod_http_oauth2: Add support for the OpenID 'login_hint' parameter Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	813 extra.username_hint = (jid.prepped_split(params.login_hint));
398d936e77fb mod_http_oauth2: Add support for the OpenID 'login_hint' parameter Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	814 end
398d936e77fb mod_http_oauth2: Add support for the OpenID 'login_hint' parameter Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	815 return render_page(templates.login, { state = auth_state; client = client; extra = extra });
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	816 elseif auth_state.consent == nil then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	817 -- Render consent page
5447 aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	818 local scopes, roles = split_scopes(requested_scopes);
5452 b071d8ee6555 mod_http_oauth2: Show only roles the user can use in consent dialog Kim Alvefur <zash@zash.se> parents: 5451 diff changeset	819 roles = user_assumable_roles(auth_state.user.username, roles);
5429 0bbeee8ba8b5 mod_http_oauth2: Strip unknown scopes from consent page Kim Alvefur <zash@zash.se> parents: 5428 diff changeset	820 return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true);
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	821 elseif not auth_state.consent then
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	822 -- Notify client of rejection
5477 5986e0edd7a3 mod_http_oauth2: Use validated redirect URI when returning errors to client Kim Alvefur <zash@zash.se> parents: 5476 diff changeset	823 return error_response(request, redirect_uri, oauth_error("access_denied"));
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	824 end
5271 3a1df3adad0c mod_http_oauth2: Allow user to decide which requested scopes to grant Kim Alvefur <zash@zash.se> parents: 5268 diff changeset	825 -- else auth_state.consent == true
3a1df3adad0c mod_http_oauth2: Allow user to decide which requested scopes to grant Kim Alvefur <zash@zash.se> parents: 5268 diff changeset	826
5447 aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	827 local granted_scopes = auth_state.scopes
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	828 if client.scope then
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	829 local client_scopes = set.new(parse_scopes(client.scope));
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	830 granted_scopes:filter(function(scope)
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	831 return client_scopes:contains(scope);
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	832 end);
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	833 end
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	834
aa4828f040c5 mod_http_oauth2: Enforce client scope restrictions in authorization Kim Alvefur <zash@zash.se> parents: 5446 diff changeset	835 params.scope = granted_scopes:concat(" ");
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	836
5257 b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	837 local user_jid = jid.join(auth_state.user.username, module.host);
5262 e73f364b5624 mod_http_oauth2: Rename oauth client credential related functions Kim Alvefur <zash@zash.se> parents: 5259 diff changeset	838 local client_secret = make_client_secret(params.client_id);
5257 b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	839 local id_token_signer = jwt.new_signer("HS256", client_secret);
b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	840 local id_token = id_token_signer({
b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	841 iss = get_issuer();
b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	842 sub = url.build({ scheme = "xmpp"; path = user_jid });
b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	843 aud = params.client_id;
5519 83ebfc367169 mod_http_oauth2: Return Authentication Time per OpenID Core Section 2 Kim Alvefur <zash@zash.se> parents: 5518 diff changeset	844 auth_time = auth_state.user.auth_time;
5257 b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	845 nonce = params.nonce;
b2120fb4a279 mod_http_oauth2: Implement and return ID Token in authorization code flow Kim Alvefur <zash@zash.se> parents: 5256 diff changeset	846 });
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	847 local response_type = params.response_type;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	848 local response_handler = response_type_handlers[response_type];
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	849 if not response_handler then
5477 5986e0edd7a3 mod_http_oauth2: Use validated redirect URI when returning errors to client Kim Alvefur <zash@zash.se> parents: 5476 diff changeset	850 return error_response(request, redirect_uri, oauth_error("unsupported_response_type"));
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	851 end
5468 14b5446e22e1 mod_http_oauth2: Fix returning errors from response handlers Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	852 local ret = response_handler(client, params, user_jid, id_token);
14b5446e22e1 mod_http_oauth2: Fix returning errors from response handlers Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	853 if errors.is_err(ret) then
5477 5986e0edd7a3 mod_http_oauth2: Use validated redirect URI when returning errors to client Kim Alvefur <zash@zash.se> parents: 5476 diff changeset	854 return error_response(request, redirect_uri, ret);
5468 14b5446e22e1 mod_http_oauth2: Fix returning errors from response handlers Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	855 end
14b5446e22e1 mod_http_oauth2: Fix returning errors from response handlers Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	856 return ret;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	857 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	858
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	859 local function handle_revocation_request(event)
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	860 local request, response = event.request, event.response;
5509 ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	861 response.headers.cache_control = "no-store";
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	862 response.headers.pragma = "no-cache";
5265 f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	863 if request.headers.authorization then
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	864 local credentials = get_request_credentials(request);
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	865 if not credentials or credentials.type ~= "basic" then
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	866 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	867 return 401;
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	868 end
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	869 -- OAuth "client" credentials
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	870 if not verify_client_secret(credentials.username, credentials.password) then
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	871 return 401;
f845c218e52c mod_http_oauth2: Allow revoking a token without OAuth client credentials Kim Alvefur <zash@zash.se> parents: 5264 diff changeset	872 end
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	873 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	874
5513 0005d4201030 mod_http_oauth2: Reject duplicate form-urlencoded parameters Kim Alvefur <zash@zash.se> parents: 5512 diff changeset	875 local form_data = strict_formdecode(event.request.body);
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	876 if not form_data or not form_data.token then
5267 60e0bc35de33 mod_http_oauth2: Relax payload content type checking in revocation Kim Alvefur <zash@zash.se> parents: 5266 diff changeset	877 response.headers.accept = "application/x-www-form-urlencoded";
60e0bc35de33 mod_http_oauth2: Relax payload content type checking in revocation Kim Alvefur <zash@zash.se> parents: 5266 diff changeset	878 return 415;
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	879 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	880 local ok, err = tokens.revoke_token(form_data.token);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	881 if not ok then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	882 module:log("warn", "Unable to revoke token: %s", tostring(err));
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	883 return 500;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	884 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	885 return 200;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	886 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	887
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	888 local registration_schema = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	889 type = "object";
5237 3354f943c1fa mod_http_oauth2: Require URL to client informational page in registration Kim Alvefur <zash@zash.se> parents: 5236 diff changeset	890 required = {
3354f943c1fa mod_http_oauth2: Require URL to client informational page in registration Kim Alvefur <zash@zash.se> parents: 5236 diff changeset	891 -- These are shown to users in the template
3354f943c1fa mod_http_oauth2: Require URL to client informational page in registration Kim Alvefur <zash@zash.se> parents: 5236 diff changeset	892 "client_name";
3354f943c1fa mod_http_oauth2: Require URL to client informational page in registration Kim Alvefur <zash@zash.se> parents: 5236 diff changeset	893 "client_uri";
3354f943c1fa mod_http_oauth2: Require URL to client informational page in registration Kim Alvefur <zash@zash.se> parents: 5236 diff changeset	894 -- We need at least one redirect URI for things to work
3354f943c1fa mod_http_oauth2: Require URL to client informational page in registration Kim Alvefur <zash@zash.se> parents: 5236 diff changeset	895 "redirect_uris";
3354f943c1fa mod_http_oauth2: Require URL to client informational page in registration Kim Alvefur <zash@zash.se> parents: 5236 diff changeset	896 };
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	897 properties = {
5454 6970c73711c2 mod_http_oauth2: Reject duplicate redirect URIs in registration Kim Alvefur <zash@zash.se> parents: 5453 diff changeset	898 redirect_uris = { type = "array"; minItems = 1; uniqueItems = true; items = { type = "string"; format = "uri" } };
5377 ca477408f90b mod_http_oauth2: Fix misplaced 'default' on wrong side of } in client registration schema Kim Alvefur <zash@zash.se> parents: 5375 diff changeset	899 token_endpoint_auth_method = {
ca477408f90b mod_http_oauth2: Fix misplaced 'default' on wrong side of } in client registration schema Kim Alvefur <zash@zash.se> parents: 5375 diff changeset	900 type = "string";
ca477408f90b mod_http_oauth2: Fix misplaced 'default' on wrong side of } in client registration schema Kim Alvefur <zash@zash.se> parents: 5375 diff changeset	901 enum = { "none"; "client_secret_post"; "client_secret_basic" };
ca477408f90b mod_http_oauth2: Fix misplaced 'default' on wrong side of } in client registration schema Kim Alvefur <zash@zash.se> parents: 5375 diff changeset	902 default = "client_secret_basic";
ca477408f90b mod_http_oauth2: Fix misplaced 'default' on wrong side of } in client registration schema Kim Alvefur <zash@zash.se> parents: 5375 diff changeset	903 };
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	904 grant_types = {
5236 ff8623e2f9d9 mod_http_oauth2: Reorder client metadata validation schema Kim Alvefur <zash@zash.se> parents: 5231 diff changeset	905 type = "array";
5455 80a81e7f3c4e mod_http_oauth2: Require non-empty arrays in client registration Kim Alvefur <zash@zash.se> parents: 5454 diff changeset	906 minItems = 1;
5456 9008aea491bf mod_http_oauth2: Reject duplicate list items in client registration Kim Alvefur <zash@zash.se> parents: 5455 diff changeset	907 uniqueItems = true;
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	908 items = {
5236 ff8623e2f9d9 mod_http_oauth2: Reorder client metadata validation schema Kim Alvefur <zash@zash.se> parents: 5231 diff changeset	909 type = "string";
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	910 enum = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	911 "authorization_code";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	912 "implicit";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	913 "password";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	914 "client_credentials";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	915 "refresh_token";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	916 "urn:ietf:params:oauth:grant-type:jwt-bearer";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	917 "urn:ietf:params:oauth:grant-type:saml2-bearer";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	918 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	919 };
5366 db4c66a1d24b mod_http_oauth2: Fill in some client metadata defaults Kim Alvefur <zash@zash.se> parents: 5365 diff changeset	920 default = { "authorization_code" };
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	921 };
5367 93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	922 application_type = { type = "string"; enum = { "native"; "web" }; default = "web" };
5456 9008aea491bf mod_http_oauth2: Reject duplicate list items in client registration Kim Alvefur <zash@zash.se> parents: 5455 diff changeset	923 response_types = {
9008aea491bf mod_http_oauth2: Reject duplicate list items in client registration Kim Alvefur <zash@zash.se> parents: 5455 diff changeset	924 type = "array";
9008aea491bf mod_http_oauth2: Reject duplicate list items in client registration Kim Alvefur <zash@zash.se> parents: 5455 diff changeset	925 minItems = 1;
9008aea491bf mod_http_oauth2: Reject duplicate list items in client registration Kim Alvefur <zash@zash.se> parents: 5455 diff changeset	926 uniqueItems = true;
9008aea491bf mod_http_oauth2: Reject duplicate list items in client registration Kim Alvefur <zash@zash.se> parents: 5455 diff changeset	927 items = { type = "string"; enum = { "code"; "token" } };
9008aea491bf mod_http_oauth2: Reject duplicate list items in client registration Kim Alvefur <zash@zash.se> parents: 5455 diff changeset	928 default = { "code" };
9008aea491bf mod_http_oauth2: Reject duplicate list items in client registration Kim Alvefur <zash@zash.se> parents: 5455 diff changeset	929 };
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	930 client_name = { type = "string" };
5553 67152838afbc mod_http_oauth2: Improve error messages for URI properties Kim Alvefur <zash@zash.se> parents: 5550 diff changeset	931 client_uri = { type = "string"; format = "uri"; pattern = "^https:" };
67152838afbc mod_http_oauth2: Improve error messages for URI properties Kim Alvefur <zash@zash.se> parents: 5550 diff changeset	932 logo_uri = { type = "string"; format = "uri"; pattern = "^https:" };
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	933 scope = { type = "string" };
5455 80a81e7f3c4e mod_http_oauth2: Require non-empty arrays in client registration Kim Alvefur <zash@zash.se> parents: 5454 diff changeset	934 contacts = { type = "array"; minItems = 1; items = { type = "string"; format = "email" } };
5553 67152838afbc mod_http_oauth2: Improve error messages for URI properties Kim Alvefur <zash@zash.se> parents: 5550 diff changeset	935 tos_uri = { type = "string"; format = "uri"; pattern = "^https:" };
67152838afbc mod_http_oauth2: Improve error messages for URI properties Kim Alvefur <zash@zash.se> parents: 5550 diff changeset	936 policy_uri = { type = "string"; format = "uri"; pattern = "^https:" };
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	937 software_id = { type = "string"; format = "uuid" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	938 software_version = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	939 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	940 }
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	941
5554 90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	942 -- Limit per-locale fields to allowed locales, partly to keep size of client_id
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	943 -- down, partly because we don't yet use them for anything.
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	944 -- Only relevant for user-visible strings and URIs.
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	945 if allowed_locales[1] then
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	946 local props = registration_schema.properties;
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	947 for _, locale in ipairs(allowed_locales) do
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	948 props["client_name#" .. locale] = props["client_name"];
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	949 props["client_uri#" .. locale] = props["client_uri"];
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	950 props["logo_uri#" .. locale] = props["logo_uri"];
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	951 props["tos_uri#" .. locale] = props["tos_uri"];
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	952 props["policy_uri#" .. locale] = props["policy_uri"];
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	953 end
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	954 end
90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	955
5367 93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	956 local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	957 local uri = url.parse(redirect_uri);
5457 9156a4754466 mod_http_oauth2: Reject relative redirect URIs Kim Alvefur <zash@zash.se> parents: 5456 diff changeset	958 if not uri.scheme then
9156a4754466 mod_http_oauth2: Reject relative redirect URIs Kim Alvefur <zash@zash.se> parents: 5456 diff changeset	959 return false; -- no relative URLs
9156a4754466 mod_http_oauth2: Reject relative redirect URIs Kim Alvefur <zash@zash.se> parents: 5456 diff changeset	960 end
5367 93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	961 if app_type == "native" then
5458 813fe4f76286 mod_http_oauth2: Do minimal validation of private-use URI schemes Kim Alvefur <zash@zash.se> parents: 5457 diff changeset	962 return uri.scheme == "http" and loopbacks:contains(uri.host) or redirect_uri == oob_uri or uri.scheme:find(".", 1, true) ~= nil;
5367 93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	963 elseif app_type == "web" then
93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	964 return uri.scheme == "https" and uri.host == client_uri.host;
93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	965 end
93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	966 end
93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	967
5259 8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	968 function create_client(client_metadata)
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	969 if not schema.validate(registration_schema, client_metadata) then
5259 8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	970 return nil, oauth_error("invalid_request", "Failed schema validation.");
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	971 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	972
5366 db4c66a1d24b mod_http_oauth2: Fill in some client metadata defaults Kim Alvefur <zash@zash.se> parents: 5365 diff changeset	973 -- Fill in default values
db4c66a1d24b mod_http_oauth2: Fill in some client metadata defaults Kim Alvefur <zash@zash.se> parents: 5365 diff changeset	974 for propname, propspec in pairs(registration_schema.properties) do
db4c66a1d24b mod_http_oauth2: Fill in some client metadata defaults Kim Alvefur <zash@zash.se> parents: 5365 diff changeset	975 if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then
db4c66a1d24b mod_http_oauth2: Fill in some client metadata defaults Kim Alvefur <zash@zash.se> parents: 5365 diff changeset	976 client_metadata[propname] = propspec.default;
db4c66a1d24b mod_http_oauth2: Fill in some client metadata defaults Kim Alvefur <zash@zash.se> parents: 5365 diff changeset	977 end
db4c66a1d24b mod_http_oauth2: Fill in some client metadata defaults Kim Alvefur <zash@zash.se> parents: 5365 diff changeset	978 end
db4c66a1d24b mod_http_oauth2: Fill in some client metadata defaults Kim Alvefur <zash@zash.se> parents: 5365 diff changeset	979
5559 d7fb8b266663 mod_http_oauth2: Strip unknown client metadata Kim Alvefur <zash@zash.se> parents: 5554 diff changeset	980 -- MUST ignore any metadata that it does not understand
d7fb8b266663 mod_http_oauth2: Strip unknown client metadata Kim Alvefur <zash@zash.se> parents: 5554 diff changeset	981 for propname in pairs(client_metadata) do
d7fb8b266663 mod_http_oauth2: Strip unknown client metadata Kim Alvefur <zash@zash.se> parents: 5554 diff changeset	982 if not registration_schema.properties[propname] then
d7fb8b266663 mod_http_oauth2: Strip unknown client metadata Kim Alvefur <zash@zash.se> parents: 5554 diff changeset	983 client_metadata[propname] = nil;
d7fb8b266663 mod_http_oauth2: Strip unknown client metadata Kim Alvefur <zash@zash.se> parents: 5554 diff changeset	984 end
d7fb8b266663 mod_http_oauth2: Strip unknown client metadata Kim Alvefur <zash@zash.se> parents: 5554 diff changeset	985 end
d7fb8b266663 mod_http_oauth2: Strip unknown client metadata Kim Alvefur <zash@zash.se> parents: 5554 diff changeset	986
5246 fd0d25b42cd9 mod_http_oauth2: Validate all URIs against client_uri in client registration Kim Alvefur <zash@zash.se> parents: 5245 diff changeset	987 local client_uri = url.parse(client_metadata.client_uri);
5401 c8d04ac200fc mod_http_oauth2: Reject loopback URIs as client_uri Kim Alvefur <zash@zash.se> parents: 5400 diff changeset	988 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
5402 fbf3ede7541b mod_http_oauth2: More appropriate error conditions in client validation Kim Alvefur <zash@zash.se> parents: 5401 diff changeset	989 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
5246 fd0d25b42cd9 mod_http_oauth2: Validate all URIs against client_uri in client registration Kim Alvefur <zash@zash.se> parents: 5245 diff changeset	990 end
fd0d25b42cd9 mod_http_oauth2: Validate all URIs against client_uri in client registration Kim Alvefur <zash@zash.se> parents: 5245 diff changeset	991
5239 8620a635106e mod_http_oauth2: Validate basic URI syntax of redirect URIs Kim Alvefur <zash@zash.se> parents: 5237 diff changeset	992 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
5367 93d445b26063 mod_http_oauth2: Validate redirect URI depending on application type Kim Alvefur <zash@zash.se> parents: 5366 diff changeset	993 if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then
5402 fbf3ede7541b mod_http_oauth2: More appropriate error conditions in client validation Kim Alvefur <zash@zash.se> parents: 5401 diff changeset	994 return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI.");
5242 4746609a6656 mod_http_oauth2: Validate that informative URLs match the redirect URIs Kim Alvefur <zash@zash.se> parents: 5241 diff changeset	995 end
4746609a6656 mod_http_oauth2: Validate that informative URLs match the redirect URIs Kim Alvefur <zash@zash.se> parents: 5241 diff changeset	996 end
4746609a6656 mod_http_oauth2: Validate that informative URLs match the redirect URIs Kim Alvefur <zash@zash.se> parents: 5241 diff changeset	997
5244 fa7bd721a3f6 mod_http_oauth2: Fix validation of informative URIs Kim Alvefur <zash@zash.se> parents: 5243 diff changeset	998 for field, prop_schema in pairs(registration_schema.properties) do
5246 fd0d25b42cd9 mod_http_oauth2: Validate all URIs against client_uri in client registration Kim Alvefur <zash@zash.se> parents: 5245 diff changeset	999 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then
5403 c574aaaa4d57 mod_http_oauth2: Simplify validation of various URIs Kim Alvefur <zash@zash.se> parents: 5402 diff changeset	1000 if not redirect_uri_allowed(client_metadata[field], client_uri, "web") then
c574aaaa4d57 mod_http_oauth2: Simplify validation of various URIs Kim Alvefur <zash@zash.se> parents: 5402 diff changeset	1001 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI");
5242 4746609a6656 mod_http_oauth2: Validate that informative URLs match the redirect URIs Kim Alvefur <zash@zash.se> parents: 5241 diff changeset	1002 end
5239 8620a635106e mod_http_oauth2: Validate basic URI syntax of redirect URIs Kim Alvefur <zash@zash.se> parents: 5237 diff changeset	1003 end
8620a635106e mod_http_oauth2: Validate basic URI syntax of redirect URIs Kim Alvefur <zash@zash.se> parents: 5237 diff changeset	1004 end
8620a635106e mod_http_oauth2: Validate basic URI syntax of redirect URIs Kim Alvefur <zash@zash.se> parents: 5237 diff changeset	1005
5406 b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1006 local grant_types = set.new(client_metadata.grant_types);
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1007 local response_types = set.new(client_metadata.response_types);
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1008
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1009 if grant_types:contains("authorization_code") and not response_types:contains("code") then
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1010 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1011 elseif grant_types:contains("implicit") and not response_types:contains("token") then
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1012 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1013 end
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1014
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1015 if set.intersection(grant_types, allowed_grant_type_handlers):empty() then
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1016 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified");
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1017 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1018 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified");
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1019 end
b86d80e21c60 mod_http_oauth2: Validate consistency of response and grant types Kim Alvefur <zash@zash.se> parents: 5405 diff changeset	1020
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1021 -- Do we want to keep everything?
5459 260a859be86a mod_http_oauth2: Rename variables to improve clarity Kim Alvefur <zash@zash.se> parents: 5458 diff changeset	1022 local client_id = sign_client(client_metadata);
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1023
5221 22483cfce3ce mod_http_oauth2: Reflect ALL attributes of the client registration Matthew Wild <mwild1@gmail.com> parents: 5219 diff changeset	1024 client_metadata.client_id = client_id;
22483cfce3ce mod_http_oauth2: Reflect ALL attributes of the client registration Matthew Wild <mwild1@gmail.com> parents: 5219 diff changeset	1025 client_metadata.client_id_issued_at = os.time();
22483cfce3ce mod_http_oauth2: Reflect ALL attributes of the client registration Matthew Wild <mwild1@gmail.com> parents: 5219 diff changeset	1026
5407 149634647b48 mod_http_oauth2: Don't issue client_secret when not using authentication Kim Alvefur <zash@zash.se> parents: 5406 diff changeset	1027 if client_metadata.token_endpoint_auth_method ~= "none" then
5580 feadbd481285 mod_http_oauth2: Only add nonce when issuing a client_secret Kim Alvefur <zash@zash.se> parents: 5560 diff changeset	1028 -- Ensure that each client_id JWT with a client_secret is unique.
feadbd481285 mod_http_oauth2: Only add nonce when issuing a client_secret Kim Alvefur <zash@zash.se> parents: 5560 diff changeset	1029 -- A short ID along with the issued at timestamp should be sufficient to
feadbd481285 mod_http_oauth2: Only add nonce when issuing a client_secret Kim Alvefur <zash@zash.se> parents: 5560 diff changeset	1030 -- rule out brute force attacks.
feadbd481285 mod_http_oauth2: Only add nonce when issuing a client_secret Kim Alvefur <zash@zash.se> parents: 5560 diff changeset	1031 -- Not needed for public clients without a secret, but those are expected
feadbd481285 mod_http_oauth2: Only add nonce when issuing a client_secret Kim Alvefur <zash@zash.se> parents: 5560 diff changeset	1032 -- to be uncommon since they can only do the insecure implicit flow.
feadbd481285 mod_http_oauth2: Only add nonce when issuing a client_secret Kim Alvefur <zash@zash.se> parents: 5560 diff changeset	1033 client_metadata.nonce = id.short();
feadbd481285 mod_http_oauth2: Only add nonce when issuing a client_secret Kim Alvefur <zash@zash.se> parents: 5560 diff changeset	1034
feadbd481285 mod_http_oauth2: Only add nonce when issuing a client_secret Kim Alvefur <zash@zash.se> parents: 5560 diff changeset	1035 local client_secret = make_client_secret(client_id, client_metadata);
5407 149634647b48 mod_http_oauth2: Don't issue client_secret when not using authentication Kim Alvefur <zash@zash.se> parents: 5406 diff changeset	1036 client_metadata.client_secret = client_secret;
149634647b48 mod_http_oauth2: Don't issue client_secret when not using authentication Kim Alvefur <zash@zash.se> parents: 5406 diff changeset	1037 client_metadata.client_secret_expires_at = 0;
149634647b48 mod_http_oauth2: Don't issue client_secret when not using authentication Kim Alvefur <zash@zash.se> parents: 5406 diff changeset	1038
149634647b48 mod_http_oauth2: Don't issue client_secret when not using authentication Kim Alvefur <zash@zash.se> parents: 5406 diff changeset	1039 if not registration_options.accept_expired then
149634647b48 mod_http_oauth2: Don't issue client_secret when not using authentication Kim Alvefur <zash@zash.se> parents: 5406 diff changeset	1040 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
149634647b48 mod_http_oauth2: Don't issue client_secret when not using authentication Kim Alvefur <zash@zash.se> parents: 5406 diff changeset	1041 end
5202 b81fd0d22c66 mod_http_oauth2: Calculate client secret expiry in registration response Kim Alvefur <zash@zash.se> parents: 5201 diff changeset	1042 end
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1043
5259 8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1044 return client_metadata;
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1045 end
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1046
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1047 local function handle_register_request(event)
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1048 local request = event.request;
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1049 local client_metadata, err = json.decode(request.body);
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1050 if err then
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1051 return oauth_error("invalid_request", "Invalid JSON");
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1052 end
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1053
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1054 local response, err = create_client(client_metadata);
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1055 if err then return err end
8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1056
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1057 return {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1058 status_code = 201;
5509 ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	1059 headers = {
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	1060 cache_control = "no-store";
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	1061 pragma = "no-cache";
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	1062 content_type = "application/json";
ae007be8a6bd mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 Kim Alvefur <zash@zash.se> parents: 5502 diff changeset	1063 };
5259 8fba651b10ef mod_http_oauth2: Refactor to allow reuse of OAuth client creation Kim Alvefur <zash@zash.se> parents: 5258 diff changeset	1064 body = json.encode(response);
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1065 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1066 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1067
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1068 if not registration_key then
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1069 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled")
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1070 handle_authorization_request = nil
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1071 handle_register_request = nil
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1072 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	1073
5228 77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1074 local function handle_userinfo_request(event)
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1075 local request = event.request;
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1076 local credentials = get_request_credentials(request);
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1077 if not credentials or not credentials.bearer_token then
5336 77ac04bd2f65 mod_http_oauth2: Add some debug logging for UserInfo endpoint Kim Alvefur <zash@zash.se> parents: 5335 diff changeset	1078 module:log("debug", "Missing credentials for UserInfo endpoint: %q", credentials)
5335 53c6f49dcbb8 mod_http_oauth2: Correct error code when missing credentials for userinfo Kim Alvefur <zash@zash.se> parents: 5280 diff changeset	1079 return 401;
5228 77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1080 end
5336 77ac04bd2f65 mod_http_oauth2: Add some debug logging for UserInfo endpoint Kim Alvefur <zash@zash.se> parents: 5335 diff changeset	1081 local token_info,err = tokens.get_token_info(credentials.bearer_token);
5228 77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1082 if not token_info then
5336 77ac04bd2f65 mod_http_oauth2: Add some debug logging for UserInfo endpoint Kim Alvefur <zash@zash.se> parents: 5335 diff changeset	1083 module:log("debug", "UserInfo query failed token validation: %s", err)
5228 77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1084 return 403;
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1085 end
5337 8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1086 local scopes = set.new()
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1087 if type(token_info.grant.data) == "table" and type(token_info.grant.data.oauth2_scopes) == "string" then
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1088 scopes:add_list(parse_scopes(token_info.grant.data.oauth2_scopes));
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1089 else
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1090 module:log("debug", "token_info = %q", token_info)
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1091 end
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1092
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1093 if not scopes:contains("openid") then
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1094 module:log("debug", "Missing the 'openid' scope in %q", scopes)
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1095 -- The 'openid' scope is required for access to this endpoint.
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1096 return 403;
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1097 end
5228 77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1098
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1099 local user_info = {
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1100 iss = get_issuer();
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1101 sub = url.build({ scheme = "xmpp"; path = token_info.jid });
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1102 }
5337 8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1103
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1104 local token_claims = set.intersection(openid_claims, scopes);
5375 8b7d97f0ae8a mod_http_oauth2: Fix to include "openid" scope in discovery metadata Kim Alvefur <zash@zash.se> parents: 5367 diff changeset	1105 token_claims:remove("openid"); -- that's "iss" and "sub" above
5337 8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1106 if not token_claims:empty() then
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1107 -- Another module can do that
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1108 module:fire_event("token/userinfo", {
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1109 token = token_info;
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1110 claims = token_claims;
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1111 username = jid.split(token_info.jid);
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1112 userinfo = user_info;
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1113 });
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1114 end
8d8e85d6dc91 mod_http_oauth2: Support OpenID UserInfo claims Kim Alvefur <zash@zash.se> parents: 5336 diff changeset	1115
5228 77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1116 return {
5258 9629971e307f mod_http_oauth2: Fix userinfo status code off-by-one Kim Alvefur <zash@zash.se> parents: 5257 diff changeset	1117 status_code = 200;
5228 77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1118 headers = { content_type = "application/json" };
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1119 body = json.encode(user_info);
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1120 };
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1121 end
77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1122
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1123 module:depends("http");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1124 module:provides("http", {
5480 5108f63e762b mod_http_oauth2: Allow CORS for browser clients Kim Alvefur <zash@zash.se> parents: 5479 diff changeset	1125 cors = { enabled = true; credentials = true };
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1126 route = {
5382 12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1127 -- OAuth 2.0 in 5 simple steps!
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1128 -- This is the normal 'authorization_code' flow.
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1129
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1130 -- Step 1. Create OAuth client
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1131 ["POST /register"] = handle_register_request;
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1132
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1133 -- Step 2. User-facing login and consent view
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	1134 ["GET /authorize"] = handle_authorization_request;
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1135 ["POST /authorize"] = handle_authorization_request;
5548 fd3c12c40cd9 mod_http_oauth2: Disable CORS for authorization endpoint Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	1136 ["OPTIONS /authorize"] = { status_code = 403; body = "" };
5245 e22cae58141d mod_http_oauth2: Organize HTTP routes with comments Kim Alvefur <zash@zash.se> parents: 5244 diff changeset	1137
5382 12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1138 -- Step 3. User is redirected to the 'redirect_uri' along with an
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1139 -- authorization code. In the insecure 'implicit' flow, the access token
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1140 -- is delivered here.
5245 e22cae58141d mod_http_oauth2: Organize HTTP routes with comments Kim Alvefur <zash@zash.se> parents: 5244 diff changeset	1141
5382 12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1142 -- Step 4. Retrieve access token using the code.
5245 e22cae58141d mod_http_oauth2: Organize HTTP routes with comments Kim Alvefur <zash@zash.se> parents: 5244 diff changeset	1143 ["POST /token"] = handle_token_grant;
5382 12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1144
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1145 -- Step 4 is later repeated using the refresh token to get new access tokens.
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1146
12498c0d705f mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Kim Alvefur <zash@zash.se> parents: 5378 diff changeset	1147 -- Step 5. Revoke token (access or refresh)
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	1148 ["POST /revoke"] = handle_revocation_request;
5245 e22cae58141d mod_http_oauth2: Organize HTTP routes with comments Kim Alvefur <zash@zash.se> parents: 5244 diff changeset	1149
e22cae58141d mod_http_oauth2: Organize HTTP routes with comments Kim Alvefur <zash@zash.se> parents: 5244 diff changeset	1150 -- OpenID
5228 77cd01af06a9 mod_http_oauth2: Implement the OpenID userinfo endpoint Kim Alvefur <zash@zash.se> parents: 5225 diff changeset	1151 ["GET /userinfo"] = handle_userinfo_request;
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1152
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1153 -- Optional static content for templates
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1154 ["GET /style.css"] = templates.css and {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1155 headers = {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1156 ["Content-Type"] = "text/css";
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1157 };
5544 cb141088eff0 mod_http_oauth2: Remove underscore prefix Kim Alvefur <zash@zash.se> parents: 5526 diff changeset	1158 body = render_html(templates.css, module:get_option("oauth2_template_style"));
5208 aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1159 } or nil;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1160 ["GET /script.js"] = templates.js and {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1161 headers = {
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1162 ["Content-Type"] = "text/javascript";
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1163 };
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1164 body = templates.js;
aaa64c647e12 mod_http_oauth2: Add authentication, consent and error pages Matthew Wild <mwild1@gmail.com> parents: 5207 diff changeset	1165 } or nil;
5393 9b9d612f9083 mod_http_oauth2: Add way to retrieve registration schema Kim Alvefur <zash@zash.se> parents: 5392 diff changeset	1166
9b9d612f9083 mod_http_oauth2: Add way to retrieve registration schema Kim Alvefur <zash@zash.se> parents: 5392 diff changeset	1167 -- Some convenient fallback handlers
9b9d612f9083 mod_http_oauth2: Add way to retrieve registration schema Kim Alvefur <zash@zash.se> parents: 5392 diff changeset	1168 ["GET /register"] = { headers = { content_type = "application/schema+json" }; body = json.encode(registration_schema) };
5396 ac7c5669e5f5 mod_http_oauth2: Return status 405 for GET to endpoints without GET handler Kim Alvefur <zash@zash.se> parents: 5394 diff changeset	1169 ["GET /token"] = function() return 405; end;
ac7c5669e5f5 mod_http_oauth2: Return status 405 for GET to endpoints without GET handler Kim Alvefur <zash@zash.se> parents: 5394 diff changeset	1170 ["GET /revoke"] = function() return 405; end;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1171 };
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1172 });
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1173
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1174 local http_server = require "net.http.server";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1175
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1176 module:hook_object_event(http_server, "http-error", function (event)
4276 ec33b3b1136c mod_http_oauth2: Fix passing OAuth-specific error details Kim Alvefur <zash@zash.se> parents: 4272 diff changeset	1177 local oauth2_response = event.error and event.error.extra and event.error.extra.oauth2_response;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1178 if not oauth2_response then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1179 return;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1180 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1181 event.response.headers.content_type = "application/json";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1182 event.response.status_code = event.error.code or 400;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1183 return json.encode(oauth2_response);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1184 end, 5);
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1185
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1186 -- OIDC Discovery
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1187
5502 fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1188 function get_authorization_server_metadata()
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1189 if authorization_server_metadata then
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1190 return authorization_server_metadata;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1191 end
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1192 authorization_server_metadata = {
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1193 -- RFC 8414: OAuth 2.0 Authorization Server Metadata
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1194 issuer = get_issuer();
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1195 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1196 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1197 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1198 scopes_supported = usermanager.get_all_roles
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1199 and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items()));
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1200 response_types_supported = array(it.keys(response_type_handlers));
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1201 token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" });
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1202 op_policy_uri = module:get_option_string("oauth2_policy_url", nil);
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1203 op_tos_uri = module:get_option_string("oauth2_terms_url", nil);
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1204 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1205 revocation_endpoint_auth_methods_supported = array({ "client_secret_basic" });
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1206 code_challenge_methods_supported = array(it.keys(verifier_transforms));
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1207 grant_types_supported = array(it.keys(response_type_handlers)):map(tmap {
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1208 token = "implicit";
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1209 code = "authorization_code";
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1210 });
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1211 response_modes_supported = array(it.keys(response_type_handlers)):map(tmap { token = "fragment"; code = "query" });
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1212 authorization_response_iss_parameter_supported = true;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1213 service_documentation = module:get_option_string("oauth2_service_documentation", "https://modules.prosody.im/mod_http_oauth2.html");
5554 90449babaa48 mod_http_oauth2: Make allowed locales configurable Kim Alvefur <zash@zash.se> parents: 5553 diff changeset	1214 ui_locales_supported = allowed_locales[1] and allowed_locales;
5502 fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1215
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1216 -- OpenID
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1217 userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1218 jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1219 id_token_signing_alg_values_supported = { "HS256" }; -- The algorithm RS256 MUST be included, but we use HS256 and client_secret as shared key.
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1220 }
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1221 return authorization_server_metadata;
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1222 end
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1223
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1224 module:provides("http", {
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1225 name = "oauth2-discovery";
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1226 default_path = "/.well-known/oauth-authorization-server";
5480 5108f63e762b mod_http_oauth2: Allow CORS for browser clients Kim Alvefur <zash@zash.se> parents: 5479 diff changeset	1227 cors = { enabled = true };
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1228 route = {
5502 fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1229 ["GET"] = function()
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1230 return {
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1231 headers = { content_type = "application/json" };
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1232 body = json.encode(get_authorization_server_metadata());
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1233 }
fd4d89a5b8db mod_http_oauth2: Add provisions for dynamically adding simple scopes Kim Alvefur <zash@zash.se> parents: 5501 diff changeset	1234 end
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1235 };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1236 });
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1237
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	1238 module:shared("tokenauth/oauthbearer_config").oidc_discovery_url = module:http_url("oauth2-discovery", "/.well-known/oauth-authorization-server");

Mercurial > prosody-modules

annotate mod_http_oauth2/mod_http_oauth2.lua @ 5585:5b316088bef5