Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5467:1c78a97a1091
mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role
This will be the first step towards defining a standard set of XMPP
scopes. "xmpp" behaves as an alias for the user's default role, so that
the client does not need to know about the various prosody:* roles.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 17 May 2023 19:40:27 +0200 |
parents | 398d936e77fb |
children | 14b5446e22e1 |
comparison
equal
deleted
inserted
replaced
5466:398d936e77fb | 5467:1c78a97a1091 |
---|---|
100 -- string -> array | 100 -- string -> array |
101 local function parse_scopes(scope_string) | 101 local function parse_scopes(scope_string) |
102 return array(scope_string:gmatch("%S+")); | 102 return array(scope_string:gmatch("%S+")); |
103 end | 103 end |
104 | 104 |
105 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" }); | 105 local openid_claims = set.new({ "openid"; "profile"; "email"; "address"; "phone" }); |
106 | 106 |
107 -- array -> array, array, array | 107 -- array -> array, array, array |
108 local function split_scopes(scope_list) | 108 local function split_scopes(scope_list) |
109 local claims, roles, unknown = array(), array(), array(); | 109 local claims, roles, unknown = array(), array(), array(); |
110 local all_roles = usermanager.get_all_roles(module.host); | 110 local all_roles = usermanager.get_all_roles(module.host); |
111 for _, scope in ipairs(scope_list) do | 111 for _, scope in ipairs(scope_list) do |
112 if openid_claims:contains(scope) then | 112 if openid_claims:contains(scope) then |
113 claims:push(scope); | 113 claims:push(scope); |
114 elseif all_roles[scope] then | 114 elseif scope == "xmpp" or all_roles[scope] then |
115 roles:push(scope); | 115 roles:push(scope); |
116 else | 116 else |
117 unknown:push(scope); | 117 unknown:push(scope); |
118 end | 118 end |
119 end | 119 end |
120 return claims, roles, unknown; | 120 return claims, roles, unknown; |
121 end | 121 end |
122 | 122 |
123 local function can_assume_role(username, requested_role) | 123 local function can_assume_role(username, requested_role) |
124 return usermanager.user_can_assume_role(username, module.host, requested_role); | 124 return requested_role == "xmpp" or usermanager.user_can_assume_role(username, module.host, requested_role); |
125 end | 125 end |
126 | 126 |
127 -- function (string) : function(string) : boolean | 127 -- function (string) : function(string) : boolean |
128 local function role_assumable_by(username) | 128 local function role_assumable_by(username) |
129 return function(role) | 129 return function(role) |
219 -- Create refresh token for the grant if desired | 219 -- Create refresh token for the grant if desired |
220 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh"); | 220 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh"); |
221 else | 221 else |
222 -- Grant exists, reuse existing refresh token | 222 -- Grant exists, reuse existing refresh token |
223 refresh_token = refresh_token_info.token; | 223 refresh_token = refresh_token_info.token; |
224 end | |
225 | |
226 if role == "xmpp" then | |
227 -- Special scope meaning the users default role. | |
228 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host); | |
229 role = user_default_role and user_default_role.name; | |
224 end | 230 end |
225 | 231 |
226 local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2"); | 232 local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2"); |
227 | 233 |
228 local expires_at = access_token_info.expires; | 234 local expires_at = access_token_info.expires; |
1078 -- RFC 8414: OAuth 2.0 Authorization Server Metadata | 1084 -- RFC 8414: OAuth 2.0 Authorization Server Metadata |
1079 issuer = get_issuer(); | 1085 issuer = get_issuer(); |
1080 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; | 1086 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; |
1081 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; | 1087 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; |
1082 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; | 1088 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; |
1083 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):append(array(openid_claims:items())); | 1089 scopes_supported = usermanager.get_all_roles |
1090 and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items())); | |
1084 response_types_supported = array(it.keys(response_type_handlers)); | 1091 response_types_supported = array(it.keys(response_type_handlers)); |
1085 token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" }); | 1092 token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" }); |
1086 op_policy_uri = module:get_option_string("oauth2_policy_url", nil); | 1093 op_policy_uri = module:get_option_string("oauth2_policy_url", nil); |
1087 op_tos_uri = module:get_option_string("oauth2_terms_url", nil); | 1094 op_tos_uri = module:get_option_string("oauth2_terms_url", nil); |
1088 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil; | 1095 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil; |