comparison mod_http_oauth2/mod_http_oauth2.lua @ 5228:77cd01af06a9

mod_http_oauth2: Implement the OpenID userinfo endpoint Needed for OIDC
author Kim Alvefur <zash@zash.se>
date Thu, 09 Mar 2023 14:46:06 +0100
parents 3439eb37f23b
children c24a622a7b85
comparison
equal deleted inserted replaced
5227:0dcd956d7bc5 5228:77cd01af06a9
615 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled") 615 module:log("info", "No 'oauth2_registration_key', dynamic client registration disabled")
616 handle_authorization_request = nil 616 handle_authorization_request = nil
617 handle_register_request = nil 617 handle_register_request = nil
618 end 618 end
619 619
620 local function handle_userinfo_request(event)
621 local request = event.request;
622 local credentials = get_request_credentials(request);
623 if not credentials or not credentials.bearer_token then
624 return 400;
625 end
626 local token_info = tokens.get_token_info(credentials.bearer_token);
627 if not token_info then
628 return 403;
629 end
630 -- TODO check that they actually have access to the userinfo endpoint, aka
631 -- the 'openid' scope. Tokens currently contain the JID in plain text so
632 -- we're not really returning anything they did not know already.
633
634 local user_info = {
635 iss = get_issuer();
636 sub = url.build({ scheme = "xmpp"; path = token_info.jid });
637 -- Additional UserInfo fields could be pulled from vcard4, depending on
638 -- permissions and scopes granted.
639 }
640 return {
641 status_code = 201;
642 headers = { content_type = "application/json" };
643 body = json.encode(user_info);
644 };
645 end
646
620 module:depends("http"); 647 module:depends("http");
621 module:provides("http", { 648 module:provides("http", {
622 route = { 649 route = {
623 ["POST /token"] = handle_token_grant; 650 ["POST /token"] = handle_token_grant;
624 ["GET /authorize"] = handle_authorization_request; 651 ["GET /authorize"] = handle_authorization_request;
625 ["POST /authorize"] = handle_authorization_request; 652 ["POST /authorize"] = handle_authorization_request;
626 ["POST /revoke"] = handle_revocation_request; 653 ["POST /revoke"] = handle_revocation_request;
627 ["POST /register"] = handle_register_request; 654 ["POST /register"] = handle_register_request;
655 ["GET /userinfo"] = handle_userinfo_request;
628 656
629 -- Optional static content for templates 657 -- Optional static content for templates
630 ["GET /style.css"] = templates.css and { 658 ["GET /style.css"] = templates.css and {
631 headers = { 659 headers = {
632 ["Content-Type"] = "text/css"; 660 ["Content-Type"] = "text/css";
665 body = json.encode { 693 body = json.encode {
666 issuer = get_issuer(); 694 issuer = get_issuer();
667 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; 695 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil;
668 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; 696 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil;
669 jwks_uri = nil; -- TODO? 697 jwks_uri = nil; -- TODO?
698 userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil;
670 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; 699 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
671 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))) 700 scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host)))
672 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" }; 701 or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" };
673 response_types_supported = array(it.keys(response_type_handlers)); 702 response_types_supported = array(it.keys(response_type_handlers));
674 authorization_response_iss_parameter_supported = true; 703 authorization_response_iss_parameter_supported = true;