Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5228:77cd01af06a9
mod_http_oauth2: Implement the OpenID userinfo endpoint
Needed for OIDC
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 09 Mar 2023 14:46:06 +0100 |
parents | 3439eb37f23b |
children | c24a622a7b85 |
comparison
equal
deleted
inserted
replaced
5227:0dcd956d7bc5 | 5228:77cd01af06a9 |
---|---|
615 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled") | 615 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled") |
616 handle_authorization_request = nil | 616 handle_authorization_request = nil |
617 handle_register_request = nil | 617 handle_register_request = nil |
618 end | 618 end |
619 | 619 |
620 local function handle_userinfo_request(event) | |
621 local request = event.request; | |
622 local credentials = get_request_credentials(request); | |
623 if not credentials or not credentials.bearer_token then | |
624 return 400; | |
625 end | |
626 local token_info = tokens.get_token_info(credentials.bearer_token); | |
627 if not token_info then | |
628 return 403; | |
629 end | |
630 -- TODO check that they actually have access to the userinfo endpoint, aka | |
631 -- the 'openid' scope. Tokens currently contain the JID in plain text so | |
632 -- we're not really returning anything they did not know already. | |
633 | |
634 local user_info = { | |
635 iss = get_issuer(); | |
636 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); | |
637 -- Additional UserInfo fields could be pulled from vcard4, depending on | |
638 -- permissions and scopes granted. | |
639 } | |
640 return { | |
641 status_code = 201; | |
642 headers = { content_type = "application/json" }; | |
643 body = json.encode(user_info); | |
644 }; | |
645 end | |
646 | |
620 module:depends("http"); | 647 module:depends("http"); |
621 module:provides("http", { | 648 module:provides("http", { |
622 route = { | 649 route = { |
623 ["POST /token"] = handle_token_grant; | 650 ["POST /token"] = handle_token_grant; |
624 ["GET /authorize"] = handle_authorization_request; | 651 ["GET /authorize"] = handle_authorization_request; |
625 ["POST /authorize"] = handle_authorization_request; | 652 ["POST /authorize"] = handle_authorization_request; |
626 ["POST /revoke"] = handle_revocation_request; | 653 ["POST /revoke"] = handle_revocation_request; |
627 ["POST /register"] = handle_register_request; | 654 ["POST /register"] = handle_register_request; |
655 ["GET /userinfo"] = handle_userinfo_request; | |
628 | 656 |
629 -- Optional static content for templates | 657 -- Optional static content for templates |
630 ["GET /style.css"] = templates.css and { | 658 ["GET /style.css"] = templates.css and { |
631 headers = { | 659 headers = { |
632 ["Content-Type"] = "text/css"; | 660 ["Content-Type"] = "text/css"; |
665 body = json.encode { | 693 body = json.encode { |
666 issuer = get_issuer(); | 694 issuer = get_issuer(); |
667 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; | 695 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; |
668 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; | 696 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; |
669 jwks_uri = nil; -- TODO? | 697 jwks_uri = nil; -- TODO? |
698 userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil; | |
670 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; | 699 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; |
671 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))) | 700 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))) |
672 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" }; | 701 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" }; |
673 response_types_supported = array(it.keys(response_type_handlers)); | 702 response_types_supported = array(it.keys(response_type_handlers)); |
674 authorization_response_iss_parameter_supported = true; | 703 authorization_response_iss_parameter_supported = true; |