Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5448:9d542e86e19a
mod_http_oauth2: Allow requesting a subset of scopes on token refresh
This enables clients to request access tokens with fewer permissions
than the grant they were given, reducing impact of token leak. Clients
could e.g. request access tokens with some privileges and immediately
revoke them after use, or other strategies.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 11 May 2023 21:40:09 +0200 |
| parents | aa4828f040c5 |
| children | 9c19a6b8e542 |
comparison
equal
deleted
inserted
replaced
| 5447:aa4828f040c5 | 5448:9d542e86e19a |
|---|---|
| 409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then | 409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then |
| 410 return oauth_error("invalid_grant", "invalid refresh token"); | 410 return oauth_error("invalid_grant", "invalid refresh token"); |
| 411 end | 411 end |
| 412 | 412 |
| 413 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; | 413 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; |
| 414 | |
| 415 if params.scope then | |
| 416 local granted_scopes = set.new(parse_scopes(refresh_scopes)); | |
| 417 local requested_scopes = parse_scopes(params.scope); | |
| 418 refresh_scopes = array.filter(requested_scopes, function(scope) | |
| 419 return granted_scopes:contains(scope); | |
| 420 end):concat(" "); | |
| 421 end | |
| 422 | |
| 423 local username = jid.split(refresh_token_info.jid); | |
| 414 local new_scopes, role = filter_scopes(username, refresh_scopes); | 424 local new_scopes, role = filter_scopes(username, refresh_scopes); |
| 415 | 425 |
| 416 -- new_access_token() requires the actual token | 426 -- new_access_token() requires the actual token |
| 417 refresh_token_info.token = params.refresh_token; | 427 refresh_token_info.token = params.refresh_token; |
| 418 | 428 |
| 419 return json.encode(new_access_token( | 429 return json.encode(new_access_token(refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info)); |
| 420 refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info | |
| 421 )); | |
| 422 end | 430 end |
| 423 | 431 |
| 424 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients | 432 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients |
| 425 | 433 |
| 426 function verifier_transforms.plain(code_verifier) | 434 function verifier_transforms.plain(code_verifier) |