prosody-modules: mod_http_oauth2/mod_http

annotate mod_http_oauth2/mod_http_oauth2.lua @ 5207:c72e3b0914e8

mod_http_oauth: Factor out issuer URL calculation to a helper function

author	Matthew Wild <mwild1@gmail.com>
date	Mon, 06 Mar 2023 09:40:17 +0000
parents	31c62df82aa8
children	aaa64c647e12

rev	line source
4263 d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	1 local hashes = require "util.hashes";
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	2 local cache = require "util.cache";
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	3 local http = require "util.http";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	4 local jid = require "util.jid";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	5 local json = require "util.json";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	6 local usermanager = require "core.usermanager";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	7 local errors = require "util.error";
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	8 local url = require "socket.url";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	9 local uuid = require "util.uuid";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	10 local encodings = require "util.encodings";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	11 local base64 = encodings.base64;
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	12 local schema = require "util.jsonschema";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	13 local jwt = require"util.jwt";
5203 c60cff787d6a mod_http_oauth2: Return actually enabled response types in discovery Kim Alvefur <zash@zash.se> parents: 5202 diff changeset	14 local it = require "util.iterators";
c60cff787d6a mod_http_oauth2: Return actually enabled response types in discovery Kim Alvefur <zash@zash.se> parents: 5202 diff changeset	15 local array = require "util.array";
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	16
3915 80dffbbd056b mod_rest, mod_http_oauth2: Switch from mod_authtokens to mod_tokenauth per Prosody bf81523e2ff4 Matthew Wild <mwild1@gmail.com> parents: 3908 diff changeset	17 local tokens = module:depends("tokenauth");
3908 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3903 diff changeset	18
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	19 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration.
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	20 local registration_key = module:get_option_string("oauth2_registration_key");
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	21 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	22 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 });
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	23
5199 f48628dc83f1 mod_http_oauth2: Separate client_secret verification key from JWT key Kim Alvefur <zash@zash.se> parents: 5198 diff changeset	24 local verification_key;
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	25 local jwt_sign, jwt_verify;
5196 6b63af56c8ac mod_http_oauth2: Remove error message Kim Alvefur <zash@zash.se> parents: 5195 diff changeset	26 if registration_key then
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	27 -- Tie it to the host if global
5199 f48628dc83f1 mod_http_oauth2: Separate client_secret verification key from JWT key Kim Alvefur <zash@zash.se> parents: 5198 diff changeset	28 verification_key = hashes.hmac_sha256(registration_key, module.host);
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	29 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	30 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	31
4998 5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	32 local function filter_scopes(username, host, requested_scope_string)
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	33 if host ~= module.host then
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	34 return usermanager.get_jid_role(username.."@"..host, module.host).name;
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	35 end
4998 5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	36
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	37 if requested_scope_string then -- Specific role requested
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	38 -- TODO: The requested scope string is technically a space-delimited list
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	39 -- of scopes, but for simplicity we're mapping this slot to role names.
5006 5dadbe0718f1 mod_http_oauth2: Update for new new role API Matthew Wild <mwild1@gmail.com> parents: 4998 diff changeset	40 if usermanager.user_can_assume_role(username, module.host, requested_scope_string) then
4998 5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	41 return requested_scope_string;
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	42 end
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	43 end
5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	44
5006 5dadbe0718f1 mod_http_oauth2: Update for new new role API Matthew Wild <mwild1@gmail.com> parents: 4998 diff changeset	45 return usermanager.get_user_role(username, module.host).name;
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	46 end
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	47
4669 d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	48 local function code_expires_in(code)
d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	49 return os.difftime(os.time(), code.issued);
d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	50 end
d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	51
4269 143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	52 local function code_expired(code)
4669 d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	53 return code_expires_in(code) > 120;
4269 143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	54 end
143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	55
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	56 local codes = cache.new(10000, function (_, code)
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	57 return code_expired(code)
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	58 end);
9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	59
4272 91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	60 module:add_timer(900, function()
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	61 local k, code = codes:tail();
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	62 while code and code_expired(code) do
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	63 codes:set(k, nil);
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	64 k, code = codes:tail();
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	65 end
4669 d3434fd151b5 mod_http_oauth2: Optimize cleanup timer Kim Alvefur <zash@zash.se> parents: 4370 diff changeset	66 return code and code_expires_in(code) + 1 or 900;
4272 91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	67 end)
91b951fb3018 mod_http_oauth2: Periodically trim unused authorization codes Kim Alvefur <zash@zash.se> parents: 4271 diff changeset	68
5207 c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	69 local function get_issuer()
c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	70 return (module:http_url(nil, "/"):gsub("/$", ""));
c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	71 end
c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	72
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	73 local function oauth_error(err_name, err_desc)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	74 return errors.new({
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	75 type = "modify";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	76 condition = "bad-request";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	77 code = err_name == "invalid_client" and 401 or 400;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	78 text = err_desc and (err_name..": "..err_desc) or err_name;
4276 ec33b3b1136c mod_http_oauth2: Fix passing OAuth-specific error details Kim Alvefur <zash@zash.se> parents: 4272 diff changeset	79 extra = { oauth2_response = { error = err_name, error_description = err_desc } };
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	80 });
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	81 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	82
3918 dea6bea2ddd3 mod_http_oauth2: Refactor re-joining of JID out of token constructor Kim Alvefur <zash@zash.se> parents: 3915 diff changeset	83 local function new_access_token(token_jid, scope, ttl)
5182 20ba6340f524 mod_http_oauth2: Issue tokens for the purpose of 'oauth2' Kim Alvefur <zash@zash.se> parents: 5181 diff changeset	84 local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, nil, "oauth2");
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	85 return {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	86 token_type = "bearer";
3908 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3903 diff changeset	87 access_token = token;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	88 expires_in = ttl;
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	89 scope = scope;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	90 -- TODO: include refresh_token when implemented
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	91 };
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	92 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	93
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	94 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	95 for _, redirect_uri in ipairs(client.redirect_uris) do
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	96 if query_redirect_uri == nil or query_redirect_uri == redirect_uri then
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	97 return redirect_uri
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	98 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	99 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	100 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	101
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	102 local grant_type_handlers = {};
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	103 local response_type_handlers = {};
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	104
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	105 function grant_type_handlers.password(params)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	106 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	107 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
3919 8ed261a08a9c mod_http_oauth2: Allow creation of full JID tokens Kim Alvefur <zash@zash.se> parents: 3918 diff changeset	108 local request_username, request_host, request_resource = jid.prepped_split(request_jid);
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	109
3908 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3903 diff changeset	110 if not (request_username and request_host) or request_host ~= module.host then
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	111 return oauth_error("invalid_request", "invalid JID");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	112 end
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	113 if not usermanager.test_password(request_username, request_host, request_password) then
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	114 return oauth_error("invalid_grant", "incorrect credentials");
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	115 end
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	116
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	117 local granted_jid = jid.join(request_username, request_host, request_resource);
4998 5ab134b7e510 mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible) Matthew Wild <mwild1@gmail.com> parents: 4670 diff changeset	118 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	119 return json.encode(new_access_token(granted_jid, granted_scopes, nil));
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	120 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	121
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	122 -- TODO response_type_handlers have some common boilerplate code, refactor?
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	123
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	124 function response_type_handlers.code(params, granted_jid)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	125 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	126
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	127 local ok, client = jwt_verify(params.client_id);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	128
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	129 if not ok then
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	130 return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	131 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	132
5191 f5a58cbe86e4 mod_http_oauth2: Derive scope from correct user details Kim Alvefur <zash@zash.se> parents: 5190 diff changeset	133 local request_username, request_host = jid.split(granted_jid);
f5a58cbe86e4 mod_http_oauth2: Derive scope from correct user details Kim Alvefur <zash@zash.se> parents: 5190 diff changeset	134 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	135
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	136 local code = uuid.generate();
4670 1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	137 local ok = codes:set(params.client_id .. "#" .. code, {
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	138 issued = os.time();
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	139 granted_jid = granted_jid;
7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	140 granted_scopes = granted_scopes;
4670 1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	141 });
1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	142 if not ok then
1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	143 return {status_code = 429};
1b81b7269858 mod_http_oauth2: Gracefully handle cache write failure Kim Alvefur <zash@zash.se> parents: 4669 diff changeset	144 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	145
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	146 local redirect_uri = get_redirect_uri(client, params.redirect_uri);
5188 7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	147 if redirect_uri == "urn:ietf:wg:oauth:2.0:oob" then
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	148 -- TODO some nicer template page
5206 31c62df82aa8 mod_http_oauth2: Clarify comment referencing mod_http_errors (thanks MattJ) Kim Alvefur <zash@zash.se> parents: 5205 diff changeset	149 -- mod_http_errors will set content-type to text/html if it catches this
31c62df82aa8 mod_http_oauth2: Clarify comment referencing mod_http_errors (thanks MattJ) Kim Alvefur <zash@zash.se> parents: 5205 diff changeset	150 -- event, if not text/plain is kept for the fallback text.
5188 7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	151 local response = { status_code = 200; headers = { content_type = "text/plain" } }
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	152 response.body = module:context("*"):fire_event("http-message", {
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	153 response = response;
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	154 title = "Your authorization code";
5195 b4932915e773 mod_http_oauth2: Mention name of client when giving out OOB authorization code Kim Alvefur <zash@zash.se> parents: 5194 diff changeset	155 message = "Here's your authorization code, copy and paste it into " .. (client.client_name or "your client");
5188 7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	156 extra = code;
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	157 }) or ("Here's your authorization code:\n%s\n"):format(code);
5190 1733f184e2bb mod_http_oauth2: Fix to actually return OOB response Kim Alvefur <zash@zash.se> parents: 5189 diff changeset	158 return response;
5188 7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	159 end
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	160
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	161 local redirect = url.parse(redirect_uri);
7c531137a553 mod_http_oauth2: Implement OOB special redirect URI in code flow Kim Alvefur <zash@zash.se> parents: 5187 diff changeset	162
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	163 local query = http.formdecode(redirect.query or "");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	164 if type(query) ~= "table" then query = {}; end
5192 03aa9baa9ac3 mod_http_oauth2: Add support for 'iss' authz response parameter (RFC 9207) Matthew Wild <mwild1@gmail.com> parents: 5191 diff changeset	165 table.insert(query, { name = "code", value = code });
5207 c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	166 table.insert(query, { name = "iss", value = get_issuer() });
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	167 if params.state then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	168 table.insert(query, { name = "state", value = params.state });
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	169 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	170 redirect.query = http.formencode(query);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	171
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	172 return {
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	173 status_code = 302;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	174 headers = {
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	175 location = url.build(redirect);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	176 };
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	177 }
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	178 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	179
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	180 -- Implicit flow
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	181 function response_type_handlers.token(params, granted_jid)
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	182 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	183
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	184 local client = jwt_verify(params.client_id);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	185
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	186 if not client then
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	187 return oauth_error("invalid_client", "incorrect credentials");
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	188 end
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	189
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	190 local request_username, request_host = jid.split(granted_jid);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	191 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	192 local token_info = new_access_token(granted_jid, granted_scopes, nil);
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	193
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	194 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	195 token_info.state = params.state;
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	196 redirect.fragment = http.formencode(token_info);
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	197
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	198 return {
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	199 status_code = 302;
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	200 headers = {
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	201 location = url.build(redirect);
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	202 };
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	203 }
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	204 end
fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	205
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	206 local function make_secret(client_id) --> client_secret
5199 f48628dc83f1 mod_http_oauth2: Separate client_secret verification key from JWT key Kim Alvefur <zash@zash.se> parents: 5198 diff changeset	207 return hashes.hmac_sha256(verification_key, client_id, true);
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	208 end
4263 d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	209
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	210 local function verify_secret(client_id, client_secret)
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	211 return hashes.equals(make_secret(client_id), client_secret);
4263 d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	212 end
d3af5f94d6df mod_http_oauth2: Improve storage of client secret Kim Alvefur <zash@zash.se> parents: 4260 diff changeset	213
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	214 function grant_type_handlers.authorization_code(params)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	215 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	216 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	217 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	218 if params.scope and params.scope ~= "" then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	219 return oauth_error("invalid_scope", "unknown scope requested");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	220 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	221
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	222 local client = jwt_verify(params.client_id);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	223 if not client then
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	224 return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	225 end
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	226
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	227 if not verify_secret(params.client_id, params.client_secret) then
4260 c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	228 module:log("debug", "client_secret mismatch");
c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	229 return oauth_error("invalid_client", "incorrect credentials");
c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	230 end
4271 9623b99bb8d2 mod_http_oauth2: Keep authorization codes in memory instead of storage Kim Alvefur <zash@zash.se> parents: 4270 diff changeset	231 local code, err = codes:get(params.client_id .. "#" .. params.code);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	232 if err then error(err); end
4269 143515d0b212 mod_http_oauth2: Factor out authorization code validity decision Kim Alvefur <zash@zash.se> parents: 4265 diff changeset	233 if not code or type(code) ~= "table" or code_expired(code) then
4260 c539334dd01a mod_http_oauth2: Rescope oauth client config into users' storage Kim Alvefur <zash@zash.se> parents: 4259 diff changeset	234 module:log("debug", "authorization_code invalid or expired: %q", code);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	235 return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	236 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	237
4340 7cd3b7ec59e9 mod_http_oauth2: Rudimentary support for scopes (but not really) Matthew Wild <mwild1@gmail.com> parents: 4276 diff changeset	238 return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil));
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	239 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	240
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	241 local function check_credentials(request, allow_token)
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	242 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	243
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	244 if auth_type == "Basic" then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	245 local creds = base64.decode(auth_data);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	246 if not creds then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	247 local username, password = string.match(creds, "^([^:]+):(.*)$");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	248 if not username then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	249 username, password = encodings.stringprep.nodeprep(username), encodings.stringprep.saslprep(password);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	250 if not username then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	251 if not usermanager.test_password(username, module.host, password) then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	252 return false;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	253 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	254 return username;
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	255 elseif auth_type == "Bearer" and allow_token then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	256 local token_info = tokens.get_token_info(auth_data);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	257 if not token_info or not token_info.session or token_info.session.host ~= module.host then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	258 return false;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	259 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	260 return token_info.session.username;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	261 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	262 return nil;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	263 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	264
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	265 if module:get_host_type() == "component" then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	266 local component_secret = assert(module:get_option_string("component_secret"), "'component_secret' is a required setting when loaded on a Component");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	267
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	268 function grant_type_handlers.password(params)
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	269 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	270 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	271 local request_username, request_host, request_resource = jid.prepped_split(request_jid);
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	272 if params.scope then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	273 return oauth_error("invalid_scope", "unknown scope requested");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	274 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	275 if not request_host or request_host ~= module.host then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	276 return oauth_error("invalid_request", "invalid JID");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	277 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	278 if request_password == component_secret then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	279 local granted_jid = jid.join(request_username, request_host, request_resource);
4257 145e8e8a247a mod_http_oauth2: Fix incomplete function arity change in dea6bea2ddd3 Kim Alvefur <zash@zash.se> parents: 4256 diff changeset	280 return json.encode(new_access_token(granted_jid, nil, nil));
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	281 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	282 return oauth_error("invalid_grant", "incorrect credentials");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	283 end
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	284
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	285 -- TODO How would this make sense with components?
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	286 -- Have an admin authenticate maybe?
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	287 response_type_handlers.code = nil;
5186 fa3059e653fa mod_http_oauth2: Implement the Implicit flow Kim Alvefur <zash@zash.se> parents: 5185 diff changeset	288 response_type_handlers.token = nil;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	289 grant_type_handlers.authorization_code = nil;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	290 check_credentials = function () return false end
3920 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	291 end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	292
5187 6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	293 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"})
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	294 for handler_type in pairs(grant_type_handlers) do
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	295 if not allowed_grant_type_handlers:contains(handler_type) then
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	296 grant_type_handlers[handler_type] = nil;
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	297 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	298 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	299
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	300 -- "token" aka implicit flow is considered insecure
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	301 local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"})
5198 2e8a7a0f932d mod_http_oauth2: Fix response type config Kim Alvefur <zash@zash.se> parents: 5196 diff changeset	302 for handler_type in pairs(response_type_handlers) do
2e8a7a0f932d mod_http_oauth2: Fix response type config Kim Alvefur <zash@zash.se> parents: 5196 diff changeset	303 if not allowed_response_type_handlers:contains(handler_type) then
5187 6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	304 grant_type_handlers[handler_type] = nil;
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	305 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	306 end
6a3c1febd7be mod_http_oauth2: Add settings for allowed grant and response types Kim Alvefur <zash@zash.se> parents: 5186 diff changeset	307
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	308 function handle_token_grant(event)
3934 469408682152 mod_http_oauth2: Set content type on successful repsponses (fixes #1501) Kim Alvefur <zash@zash.se> parents: 3920 diff changeset	309 event.response.headers.content_type = "application/json";
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	310 local params = http.formdecode(event.request.body);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	311 if not params then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	312 return oauth_error("invalid_request");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	313 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	314 local grant_type = params.grant_type
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	315 local grant_handler = grant_type_handlers[grant_type];
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	316 if not grant_handler then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	317 return oauth_error("unsupported_grant_type");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	318 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	319 return grant_handler(params);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	320 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	321
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	322 local function handle_authorization_request(event)
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	323 local request, response = event.request, event.response;
cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	324 if not request.headers.authorization then
cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	325 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	326 return 401;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	327 end
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	328 local user = check_credentials(request);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	329 if not user then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	330 return 401;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	331 end
4265 7b4a73364363 mod_http_oauth2: Add TODO Kim Alvefur <zash@zash.se> parents: 4263 diff changeset	332 -- TODO ask user for consent here
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	333 if not request.url.query then
cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	334 response.headers.content_type = "application/json";
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	335 return oauth_error("invalid_request");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	336 end
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	337 local params = http.formdecode(request.url.query);
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	338 if not params then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	339 return oauth_error("invalid_request");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	340 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	341 local response_type = params.response_type;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	342 local response_handler = response_type_handlers[response_type];
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	343 if not response_handler then
4258 cc712899becd mod_http_oauth2: Unpack event object to improve readability Kim Alvefur <zash@zash.se> parents: 4257 diff changeset	344 response.headers.content_type = "application/json";
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	345 return oauth_error("unsupported_response_type");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	346 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	347 return response_handler(params, jid.join(user, module.host));
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	348 end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	349
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	350 local function handle_revocation_request(event)
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	351 local request, response = event.request, event.response;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	352 if not request.headers.authorization then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	353 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	354 return 401;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	355 elseif request.headers.content_type ~= "application/x-www-form-urlencoded"
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	356 or not request.body or request.body == "" then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	357 return 400;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	358 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	359 local user = check_credentials(request, true);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	360 if not user then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	361 return 401;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	362 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	363
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	364 local form_data = http.formdecode(event.request.body);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	365 if not form_data or not form_data.token then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	366 return 400;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	367 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	368 local ok, err = tokens.revoke_token(form_data.token);
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	369 if not ok then
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	370 module:log("warn", "Unable to revoke token: %s", tostring(err));
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	371 return 500;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	372 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	373 return 200;
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	374 end
dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	375
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	376 local registration_schema = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	377 type = "object";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	378 required = { "client_name"; "redirect_uris" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	379 properties = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	380 redirect_uris = { type = "array"; minLength = 1; items = { type = "string"; format = "uri" } };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	381 token_endpoint_auth_method = { enum = { "none"; "client_secret_post"; "client_secret_basic" }; type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	382 grant_types = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	383 items = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	384 enum = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	385 "authorization_code";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	386 "implicit";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	387 "password";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	388 "client_credentials";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	389 "refresh_token";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	390 "urn:ietf:params:oauth:grant-type:jwt-bearer";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	391 "urn:ietf:params:oauth:grant-type:saml2-bearer";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	392 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	393 type = "string";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	394 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	395 type = "array";
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	396 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	397 response_types = { items = { enum = { "code"; "token" }; type = "string" }; type = "array" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	398 client_name = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	399 client_uri = { type = "string"; format = "uri" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	400 logo_uri = { type = "string"; format = "uri" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	401 scope = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	402 contacts = { items = { type = "string" }; type = "array" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	403 tos_uri = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	404 policy_uri = { type = "string"; format = "uri" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	405 jwks_uri = { type = "string"; format = "uri" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	406 jwks = { type = "object"; description = "JSON Web Key Set, RFC 7517" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	407 software_id = { type = "string"; format = "uuid" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	408 software_version = { type = "string" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	409 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	410 }
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	411
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	412 local function handle_register_request(event)
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	413 local request = event.request;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	414 local client_metadata = json.decode(request.body);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	415
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	416 if not schema.validate(registration_schema, client_metadata) then
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	417 return oauth_error("invalid_request", "Failed schema validation.");
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	418 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	419
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	420 -- Ensure each signed client_id JWT is unique
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	421 client_metadata.nonce = uuid.generate();
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	422
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	423 -- Do we want to keep everything?
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	424 local client_id = jwt_sign(client_metadata);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	425 local client_secret = make_secret(client_id);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	426
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	427 local client_desc = {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	428 client_id = client_id;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	429 client_secret = client_secret;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	430 client_id_issued_at = os.time();
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	431 client_secret_expires_at = 0;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	432 }
5202 b81fd0d22c66 mod_http_oauth2: Calculate client secret expiry in registration response Kim Alvefur <zash@zash.se> parents: 5201 diff changeset	433 if not registration_options.accept_expired then
b81fd0d22c66 mod_http_oauth2: Calculate client secret expiry in registration response Kim Alvefur <zash@zash.se> parents: 5201 diff changeset	434 client_desc.client_secret_expires_at = client_desc.client_id_issued_at + (registration_options.default_ttl or 3600);
b81fd0d22c66 mod_http_oauth2: Calculate client secret expiry in registration response Kim Alvefur <zash@zash.se> parents: 5201 diff changeset	435 end
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	436
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	437 return {
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	438 status_code = 201;
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	439 headers = { content_type = "application/json" };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	440 body = json.encode(client_desc);
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	441 };
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	442 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	443
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	444 if not registration_key then
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	445 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled")
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	446 handle_authorization_request = nil
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	447 handle_register_request = nil
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	448 end
2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	449
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	450 module:depends("http");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	451 module:provides("http", {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	452 route = {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	453 ["POST /token"] = handle_token_grant;
4256 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4237 diff changeset	454 ["GET /authorize"] = handle_authorization_request;
4370 dee6b5098278 mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda) Matthew Wild <mwild1@gmail.com> parents: 4340 diff changeset	455 ["POST /revoke"] = handle_revocation_request;
5193 2bb29ece216b mod_http_oauth2: Implement stateless dynamic client registration Kim Alvefur <zash@zash.se> parents: 5192 diff changeset	456 ["POST /register"] = handle_register_request;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	457 };
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	458 });
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	459
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	460 local http_server = require "net.http.server";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	461
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	462 module:hook_object_event(http_server, "http-error", function (event)
4276 ec33b3b1136c mod_http_oauth2: Fix passing OAuth-specific error details Kim Alvefur <zash@zash.se> parents: 4272 diff changeset	463 local oauth2_response = event.error and event.error.extra and event.error.extra.oauth2_response;
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	464 if not oauth2_response then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	465 return;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	466 end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	467 event.response.headers.content_type = "application/json";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	468 event.response.status_code = event.error.code or 400;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	469 return json.encode(oauth2_response);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	470 end, 5);
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	471
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	472 -- OIDC Discovery
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	473
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	474 module:provides("http", {
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	475 name = "oauth2-discovery";
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	476 default_path = "/.well-known/oauth-authorization-server";
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	477 route = {
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	478 ["GET"] = {
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	479 headers = { content_type = "application/json" };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	480 body = json.encode {
5207 c72e3b0914e8 mod_http_oauth: Factor out issuer URL calculation to a helper function Matthew Wild <mwild1@gmail.com> parents: 5206 diff changeset	481 issuer = get_issuer();
5200 afed7d5bd65c mod_http_oauth2: Advertise endpoints that are enabled Kim Alvefur <zash@zash.se> parents: 5199 diff changeset	482 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil;
afed7d5bd65c mod_http_oauth2: Advertise endpoints that are enabled Kim Alvefur <zash@zash.se> parents: 5199 diff changeset	483 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil;
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	484 jwks_uri = nil; -- TODO?
5200 afed7d5bd65c mod_http_oauth2: Advertise endpoints that are enabled Kim Alvefur <zash@zash.se> parents: 5199 diff changeset	485 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
5205 b6f41f0b5f58 mod_http_oauth2: Specify host for which to retrieve list of roles Kim Alvefur <zash@zash.se> parents: 5204 diff changeset	486 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host)))
5204 eb8b3a068ecc mod_http_oauth2: Return list of active roles in discovery Kim Alvefur <zash@zash.se> parents: 5203 diff changeset	487 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" };
5203 c60cff787d6a mod_http_oauth2: Return actually enabled response types in discovery Kim Alvefur <zash@zash.se> parents: 5202 diff changeset	488 response_types_supported = array(it.keys(response_type_handlers));
5192 03aa9baa9ac3 mod_http_oauth2: Add support for 'iss' authz response parameter (RFC 9207) Matthew Wild <mwild1@gmail.com> parents: 5191 diff changeset	489 authorization_response_iss_parameter_supported = true;
5189 4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	490 };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	491 };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	492 };
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	493 });
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	494
4ee8eb1134a8 mod_http_oauth2: Add OIDC discovery endpoint (thanks Zash) Matthew Wild <mwild1@gmail.com> parents: 5188 diff changeset	495 module:shared("tokenauth/oauthbearer_config").oidc_discovery_url = module:http_url("oauth2-discovery", "/.well-known/oauth-authorization-server");

Mercurial > prosody-modules

annotate mod_http_oauth2/mod_http_oauth2.lua @ 5207:c72e3b0914e8