comparison mod_http_oauth2/mod_http_oauth2.lua @ 5467:1c78a97a1091

mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role This will be the first step towards defining a standard set of XMPP scopes. "xmpp" behaves as an alias for the user's default role, so that the client does not need to know about the various prosody:* roles.
author Kim Alvefur <zash@zash.se>
date Wed, 17 May 2023 19:40:27 +0200
parents 398d936e77fb
children 14b5446e22e1
comparison
equal deleted inserted replaced
5466:398d936e77fb 5467:1c78a97a1091
100 -- string -> array 100 -- string -> array
101 local function parse_scopes(scope_string) 101 local function parse_scopes(scope_string)
102 return array(scope_string:gmatch("%S+")); 102 return array(scope_string:gmatch("%S+"));
103 end 103 end
104 104
105 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" }); 105 local openid_claims = set.new({ "openid"; "profile"; "email"; "address"; "phone" });
106 106
107 -- array -> array, array, array 107 -- array -> array, array, array
108 local function split_scopes(scope_list) 108 local function split_scopes(scope_list)
109 local claims, roles, unknown = array(), array(), array(); 109 local claims, roles, unknown = array(), array(), array();
110 local all_roles = usermanager.get_all_roles(module.host); 110 local all_roles = usermanager.get_all_roles(module.host);
111 for _, scope in ipairs(scope_list) do 111 for _, scope in ipairs(scope_list) do
112 if openid_claims:contains(scope) then 112 if openid_claims:contains(scope) then
113 claims:push(scope); 113 claims:push(scope);
114 elseif all_roles[scope] then 114 elseif scope == "xmpp" or all_roles[scope] then
115 roles:push(scope); 115 roles:push(scope);
116 else 116 else
117 unknown:push(scope); 117 unknown:push(scope);
118 end 118 end
119 end 119 end
120 return claims, roles, unknown; 120 return claims, roles, unknown;
121 end 121 end
122 122
123 local function can_assume_role(username, requested_role) 123 local function can_assume_role(username, requested_role)
124 return usermanager.user_can_assume_role(username, module.host, requested_role); 124 return requested_role == "xmpp" or usermanager.user_can_assume_role(username, module.host, requested_role);
125 end 125 end
126 126
127 -- function (string) : function(string) : boolean 127 -- function (string) : function(string) : boolean
128 local function role_assumable_by(username) 128 local function role_assumable_by(username)
129 return function(role) 129 return function(role)
219 -- Create refresh token for the grant if desired 219 -- Create refresh token for the grant if desired
220 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh"); 220 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh");
221 else 221 else
222 -- Grant exists, reuse existing refresh token 222 -- Grant exists, reuse existing refresh token
223 refresh_token = refresh_token_info.token; 223 refresh_token = refresh_token_info.token;
224 end
225
226 if role == "xmpp" then
227 -- Special scope meaning the users default role.
228 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host);
229 role = user_default_role and user_default_role.name;
224 end 230 end
225 231
226 local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2"); 232 local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2");
227 233
228 local expires_at = access_token_info.expires; 234 local expires_at = access_token_info.expires;
1078 -- RFC 8414: OAuth 2.0 Authorization Server Metadata 1084 -- RFC 8414: OAuth 2.0 Authorization Server Metadata
1079 issuer = get_issuer(); 1085 issuer = get_issuer();
1080 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; 1086 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil;
1081 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; 1087 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil;
1082 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; 1088 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
1083 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):append(array(openid_claims:items())); 1089 scopes_supported = usermanager.get_all_roles
1090 and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items()));
1084 response_types_supported = array(it.keys(response_type_handlers)); 1091 response_types_supported = array(it.keys(response_type_handlers));
1085 token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" }); 1092 token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" });
1086 op_policy_uri = module:get_option_string("oauth2_policy_url", nil); 1093 op_policy_uri = module:get_option_string("oauth2_policy_url", nil);
1087 op_tos_uri = module:get_option_string("oauth2_terms_url", nil); 1094 op_tos_uri = module:get_option_string("oauth2_terms_url", nil);
1088 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil; 1095 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil;