Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5255:001c8fdc91a4
mod_http_oauth2: Add support for the "openid" scope
This "openid" scope is there to signal access to the userinfo endpoint,
which is needed for OIDC support.
We don't actually check this later because the userinfo endpoint only
returns info embedded in the token itself, but in the future we may want
to check this more carefully.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 16 Mar 2023 17:06:35 +0100 |
| parents | b0ccdd12a70d |
| children | 44f7edd4f845 |
comparison
equal
deleted
inserted
replaced
| 5254:b0ccdd12a70d | 5255:001c8fdc91a4 |
|---|---|
| 86 local selected_role, granted_scopes = nil, array(); | 86 local selected_role, granted_scopes = nil, array(); |
| 87 | 87 |
| 88 if requested_scope_string then -- Specific role(s) requested | 88 if requested_scope_string then -- Specific role(s) requested |
| 89 local requested_scopes = parse_scopes(requested_scope_string); | 89 local requested_scopes = parse_scopes(requested_scope_string); |
| 90 for _, scope in ipairs(requested_scopes) do | 90 for _, scope in ipairs(requested_scopes) do |
| 91 if scope == "openid" then | |
| 92 granted_scopes:push(scope); | |
| 93 end | |
| 91 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then | 94 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then |
| 92 selected_role = scope; | 95 selected_role = scope; |
| 93 end | 96 end |
| 94 end | 97 end |
| 95 end | 98 end |
| 770 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; | 773 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; |
| 771 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; | 774 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; |
| 772 jwks_uri = nil; -- TODO? | 775 jwks_uri = nil; -- TODO? |
| 773 userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil; | 776 userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil; |
| 774 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; | 777 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; |
| 775 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))) | 778 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):push("openid") |
| 776 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" }; | 779 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator"; "openid" }; |
| 777 response_types_supported = array(it.keys(response_type_handlers)); | 780 response_types_supported = array(it.keys(response_type_handlers)); |
| 778 authorization_response_iss_parameter_supported = true; | 781 authorization_response_iss_parameter_supported = true; |
| 779 }; | 782 }; |
| 780 }; | 783 }; |
| 781 }; | 784 }; |