Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5271:3a1df3adad0c
mod_http_oauth2: Allow user to decide which requested scopes to grant
These should at the very least be shown to the user, so they can decide
whether to grant them.
Considered whether to filter the requested scopes down to actually
understood scopes that would be granted, but decided that this was a bit
complex for a first step, since role role selection and other kinds of
scopes are mixed into the same field here.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 23 Mar 2023 16:28:08 +0100 |
| parents | bac39c6e7203 |
| children | 40be37652d70 |
comparison
equal
deleted
inserted
replaced
| 5270:7acf73d2ebb5 | 5271:3a1df3adad0c |
|---|---|
| 364 return { | 364 return { |
| 365 error = user == "token-expired" and "Session expired - try again" or nil; | 365 error = user == "token-expired" and "Session expired - try again" or nil; |
| 366 }; | 366 }; |
| 367 end | 367 end |
| 368 | 368 |
| 369 local scope = array():append(form):filter(function(field) | |
| 370 return field.name == "scope"; | |
| 371 end):pluck("value"):concat(" "); | |
| 372 | |
| 369 user.token = form.user_token; | 373 user.token = form.user_token; |
| 370 return { | 374 return { |
| 371 user = user; | 375 user = user; |
| 376 scope = scope; | |
| 372 consent = form.consent == "granted"; | 377 consent = form.consent == "granted"; |
| 373 }; | 378 }; |
| 374 end | 379 end |
| 375 | 380 |
| 376 return {}; | 381 return {}; |
| 520 if not auth_state.user then | 525 if not auth_state.user then |
| 521 -- Render login page | 526 -- Render login page |
| 522 return render_page(templates.login, { state = auth_state, client = client }); | 527 return render_page(templates.login, { state = auth_state, client = client }); |
| 523 elseif auth_state.consent == nil then | 528 elseif auth_state.consent == nil then |
| 524 -- Render consent page | 529 -- Render consent page |
| 525 return render_page(templates.consent, { state = auth_state, client = client }, true); | 530 return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope) }, true); |
| 526 elseif not auth_state.consent then | 531 elseif not auth_state.consent then |
| 527 -- Notify client of rejection | 532 -- Notify client of rejection |
| 528 return error_response(request, oauth_error("access_denied")); | 533 return error_response(request, oauth_error("access_denied")); |
| 529 end | 534 end |
| 535 -- else auth_state.consent == true | |
| 536 | |
| 537 params.scope = auth_state.scope; | |
| 530 | 538 |
| 531 local user_jid = jid.join(auth_state.user.username, module.host); | 539 local user_jid = jid.join(auth_state.user.username, module.host); |
| 532 local client_secret = make_client_secret(params.client_id); | 540 local client_secret = make_client_secret(params.client_id); |
| 533 local id_token_signer = jwt.new_signer("HS256", client_secret); | 541 local id_token_signer = jwt.new_signer("HS256", client_secret); |
| 534 local id_token = id_token_signer({ | 542 local id_token = id_token_signer({ |