Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5375:8b7d97f0ae8a
mod_http_oauth2: Fix to include "openid" scope in discovery metadata
The "openid" scope was left out of openid_claims since it is treated
differently from the other scopes.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 26 Apr 2023 23:41:49 +0200 |
| parents | 93d445b26063 |
| children | ca477408f90b |
comparison
equal
deleted
inserted
replaced
| 5374:d9397d6a5513 | 5375:8b7d97f0ae8a |
|---|---|
| 79 | 79 |
| 80 local function parse_scopes(scope_string) | 80 local function parse_scopes(scope_string) |
| 81 return array(scope_string:gmatch("%S+")); | 81 return array(scope_string:gmatch("%S+")); |
| 82 end | 82 end |
| 83 | 83 |
| 84 local openid_claims = set.new({ "profile"; "email"; "address"; "phone" }); | 84 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" }); |
| 85 | 85 |
| 86 local function filter_scopes(username, requested_scope_string) | 86 local function filter_scopes(username, requested_scope_string) |
| 87 local selected_role, granted_scopes = nil, array(); | 87 local selected_role, granted_scopes = nil, array(); |
| 88 | 88 |
| 89 if requested_scope_string then -- Specific role(s) requested | 89 if requested_scope_string then -- Specific role(s) requested |
| 90 local requested_scopes = parse_scopes(requested_scope_string); | 90 local requested_scopes = parse_scopes(requested_scope_string); |
| 91 for _, scope in ipairs(requested_scopes) do | 91 for _, scope in ipairs(requested_scopes) do |
| 92 if scope == "openid" or openid_claims:contains(scope) then | 92 if openid_claims:contains(scope) then |
| 93 granted_scopes:push(scope); | 93 granted_scopes:push(scope); |
| 94 end | 94 end |
| 95 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then | 95 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then |
| 96 selected_role = scope; | 96 selected_role = scope; |
| 97 end | 97 end |
| 806 iss = get_issuer(); | 806 iss = get_issuer(); |
| 807 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); | 807 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); |
| 808 } | 808 } |
| 809 | 809 |
| 810 local token_claims = set.intersection(openid_claims, scopes); | 810 local token_claims = set.intersection(openid_claims, scopes); |
| 811 token_claims:remove("openid"); -- that's "iss" and "sub" above | |
| 811 if not token_claims:empty() then | 812 if not token_claims:empty() then |
| 812 -- Another module can do that | 813 -- Another module can do that |
| 813 module:fire_event("token/userinfo", { | 814 module:fire_event("token/userinfo", { |
| 814 token = token_info; | 815 token = token_info; |
| 815 claims = token_claims; | 816 claims = token_claims; |