comparison mod_http_oauth2/mod_http_oauth2.lua @ 5271:3a1df3adad0c

mod_http_oauth2: Allow user to decide which requested scopes to grant These should at the very least be shown to the user, so they can decide whether to grant them. Considered whether to filter the requested scopes down to actually understood scopes that would be granted, but decided that this was a bit complex for a first step, since role role selection and other kinds of scopes are mixed into the same field here.
author Kim Alvefur <zash@zash.se>
date Thu, 23 Mar 2023 16:28:08 +0100
parents bac39c6e7203
children 40be37652d70
comparison
equal deleted inserted replaced
5270:7acf73d2ebb5 5271:3a1df3adad0c
364 return { 364 return {
365 error = user == "token-expired" and "Session expired - try again" or nil; 365 error = user == "token-expired" and "Session expired - try again" or nil;
366 }; 366 };
367 end 367 end
368 368
369 local scope = array():append(form):filter(function(field)
370 return field.name == "scope";
371 end):pluck("value"):concat(" ");
372
369 user.token = form.user_token; 373 user.token = form.user_token;
370 return { 374 return {
371 user = user; 375 user = user;
376 scope = scope;
372 consent = form.consent == "granted"; 377 consent = form.consent == "granted";
373 }; 378 };
374 end 379 end
375 380
376 return {}; 381 return {};
520 if not auth_state.user then 525 if not auth_state.user then
521 -- Render login page 526 -- Render login page
522 return render_page(templates.login, { state = auth_state, client = client }); 527 return render_page(templates.login, { state = auth_state, client = client });
523 elseif auth_state.consent == nil then 528 elseif auth_state.consent == nil then
524 -- Render consent page 529 -- Render consent page
525 return render_page(templates.consent, { state = auth_state, client = client }, true); 530 return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope) }, true);
526 elseif not auth_state.consent then 531 elseif not auth_state.consent then
527 -- Notify client of rejection 532 -- Notify client of rejection
528 return error_response(request, oauth_error("access_denied")); 533 return error_response(request, oauth_error("access_denied"));
529 end 534 end
535 -- else auth_state.consent == true
536
537 params.scope = auth_state.scope;
530 538
531 local user_jid = jid.join(auth_state.user.username, module.host); 539 local user_jid = jid.join(auth_state.user.username, module.host);
532 local client_secret = make_client_secret(params.client_id); 540 local client_secret = make_client_secret(params.client_id);
533 local id_token_signer = jwt.new_signer("HS256", client_secret); 541 local id_token_signer = jwt.new_signer("HS256", client_secret);
534 local id_token = id_token_signer({ 542 local id_token = id_token_signer({