Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5467:1c78a97a1091
mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role
This will be the first step towards defining a standard set of XMPP
scopes. "xmpp" behaves as an alias for the user's default role, so that
the client does not need to know about the various prosody:* roles.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 17 May 2023 19:40:27 +0200 |
| parents | 398d936e77fb |
| children | 14b5446e22e1 |
comparison
equal
deleted
inserted
replaced
| 5466:398d936e77fb | 5467:1c78a97a1091 |
|---|---|
| 100 -- string -> array | 100 -- string -> array |
| 101 local function parse_scopes(scope_string) | 101 local function parse_scopes(scope_string) |
| 102 return array(scope_string:gmatch("%S+")); | 102 return array(scope_string:gmatch("%S+")); |
| 103 end | 103 end |
| 104 | 104 |
| 105 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" }); | 105 local openid_claims = set.new({ "openid"; "profile"; "email"; "address"; "phone" }); |
| 106 | 106 |
| 107 -- array -> array, array, array | 107 -- array -> array, array, array |
| 108 local function split_scopes(scope_list) | 108 local function split_scopes(scope_list) |
| 109 local claims, roles, unknown = array(), array(), array(); | 109 local claims, roles, unknown = array(), array(), array(); |
| 110 local all_roles = usermanager.get_all_roles(module.host); | 110 local all_roles = usermanager.get_all_roles(module.host); |
| 111 for _, scope in ipairs(scope_list) do | 111 for _, scope in ipairs(scope_list) do |
| 112 if openid_claims:contains(scope) then | 112 if openid_claims:contains(scope) then |
| 113 claims:push(scope); | 113 claims:push(scope); |
| 114 elseif all_roles[scope] then | 114 elseif scope == "xmpp" or all_roles[scope] then |
| 115 roles:push(scope); | 115 roles:push(scope); |
| 116 else | 116 else |
| 117 unknown:push(scope); | 117 unknown:push(scope); |
| 118 end | 118 end |
| 119 end | 119 end |
| 120 return claims, roles, unknown; | 120 return claims, roles, unknown; |
| 121 end | 121 end |
| 122 | 122 |
| 123 local function can_assume_role(username, requested_role) | 123 local function can_assume_role(username, requested_role) |
| 124 return usermanager.user_can_assume_role(username, module.host, requested_role); | 124 return requested_role == "xmpp" or usermanager.user_can_assume_role(username, module.host, requested_role); |
| 125 end | 125 end |
| 126 | 126 |
| 127 -- function (string) : function(string) : boolean | 127 -- function (string) : function(string) : boolean |
| 128 local function role_assumable_by(username) | 128 local function role_assumable_by(username) |
| 129 return function(role) | 129 return function(role) |
| 219 -- Create refresh token for the grant if desired | 219 -- Create refresh token for the grant if desired |
| 220 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh"); | 220 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh"); |
| 221 else | 221 else |
| 222 -- Grant exists, reuse existing refresh token | 222 -- Grant exists, reuse existing refresh token |
| 223 refresh_token = refresh_token_info.token; | 223 refresh_token = refresh_token_info.token; |
| 224 end | |
| 225 | |
| 226 if role == "xmpp" then | |
| 227 -- Special scope meaning the users default role. | |
| 228 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host); | |
| 229 role = user_default_role and user_default_role.name; | |
| 224 end | 230 end |
| 225 | 231 |
| 226 local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2"); | 232 local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2"); |
| 227 | 233 |
| 228 local expires_at = access_token_info.expires; | 234 local expires_at = access_token_info.expires; |
| 1078 -- RFC 8414: OAuth 2.0 Authorization Server Metadata | 1084 -- RFC 8414: OAuth 2.0 Authorization Server Metadata |
| 1079 issuer = get_issuer(); | 1085 issuer = get_issuer(); |
| 1080 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; | 1086 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; |
| 1081 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; | 1087 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; |
| 1082 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; | 1088 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; |
| 1083 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):append(array(openid_claims:items())); | 1089 scopes_supported = usermanager.get_all_roles |
| 1090 and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items())); | |
| 1084 response_types_supported = array(it.keys(response_type_handlers)); | 1091 response_types_supported = array(it.keys(response_type_handlers)); |
| 1085 token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" }); | 1092 token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" }); |
| 1086 op_policy_uri = module:get_option_string("oauth2_policy_url", nil); | 1093 op_policy_uri = module:get_option_string("oauth2_policy_url", nil); |
| 1087 op_tos_uri = module:get_option_string("oauth2_terms_url", nil); | 1094 op_tos_uri = module:get_option_string("oauth2_terms_url", nil); |
| 1088 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil; | 1095 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil; |