Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5228:77cd01af06a9
mod_http_oauth2: Implement the OpenID userinfo endpoint
Needed for OIDC
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 09 Mar 2023 14:46:06 +0100 |
| parents | 3439eb37f23b |
| children | c24a622a7b85 |
comparison
equal
deleted
inserted
replaced
| 5227:0dcd956d7bc5 | 5228:77cd01af06a9 |
|---|---|
| 615 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled") | 615 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled") |
| 616 handle_authorization_request = nil | 616 handle_authorization_request = nil |
| 617 handle_register_request = nil | 617 handle_register_request = nil |
| 618 end | 618 end |
| 619 | 619 |
| 620 local function handle_userinfo_request(event) | |
| 621 local request = event.request; | |
| 622 local credentials = get_request_credentials(request); | |
| 623 if not credentials or not credentials.bearer_token then | |
| 624 return 400; | |
| 625 end | |
| 626 local token_info = tokens.get_token_info(credentials.bearer_token); | |
| 627 if not token_info then | |
| 628 return 403; | |
| 629 end | |
| 630 -- TODO check that they actually have access to the userinfo endpoint, aka | |
| 631 -- the 'openid' scope. Tokens currently contain the JID in plain text so | |
| 632 -- we're not really returning anything they did not know already. | |
| 633 | |
| 634 local user_info = { | |
| 635 iss = get_issuer(); | |
| 636 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); | |
| 637 -- Additional UserInfo fields could be pulled from vcard4, depending on | |
| 638 -- permissions and scopes granted. | |
| 639 } | |
| 640 return { | |
| 641 status_code = 201; | |
| 642 headers = { content_type = "application/json" }; | |
| 643 body = json.encode(user_info); | |
| 644 }; | |
| 645 end | |
| 646 | |
| 620 module:depends("http"); | 647 module:depends("http"); |
| 621 module:provides("http", { | 648 module:provides("http", { |
| 622 route = { | 649 route = { |
| 623 ["POST /token"] = handle_token_grant; | 650 ["POST /token"] = handle_token_grant; |
| 624 ["GET /authorize"] = handle_authorization_request; | 651 ["GET /authorize"] = handle_authorization_request; |
| 625 ["POST /authorize"] = handle_authorization_request; | 652 ["POST /authorize"] = handle_authorization_request; |
| 626 ["POST /revoke"] = handle_revocation_request; | 653 ["POST /revoke"] = handle_revocation_request; |
| 627 ["POST /register"] = handle_register_request; | 654 ["POST /register"] = handle_register_request; |
| 655 ["GET /userinfo"] = handle_userinfo_request; | |
| 628 | 656 |
| 629 -- Optional static content for templates | 657 -- Optional static content for templates |
| 630 ["GET /style.css"] = templates.css and { | 658 ["GET /style.css"] = templates.css and { |
| 631 headers = { | 659 headers = { |
| 632 ["Content-Type"] = "text/css"; | 660 ["Content-Type"] = "text/css"; |
| 665 body = json.encode { | 693 body = json.encode { |
| 666 issuer = get_issuer(); | 694 issuer = get_issuer(); |
| 667 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; | 695 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; |
| 668 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; | 696 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; |
| 669 jwks_uri = nil; -- TODO? | 697 jwks_uri = nil; -- TODO? |
| 698 userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil; | |
| 670 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; | 699 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; |
| 671 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))) | 700 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))) |
| 672 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" }; | 701 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" }; |
| 673 response_types_supported = array(it.keys(response_type_handlers)); | 702 response_types_supported = array(it.keys(response_type_handlers)); |
| 674 authorization_response_iss_parameter_supported = true; | 703 authorization_response_iss_parameter_supported = true; |