comparison mod_http_oauth2/mod_http_oauth2.lua @ 5448:9d542e86e19a

mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 21:40:09 +0200
parents aa4828f040c5
children 9c19a6b8e542
comparison
equal deleted inserted replaced
5447:aa4828f040c5 5448:9d542e86e19a
409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then 409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then
410 return oauth_error("invalid_grant", "invalid refresh token"); 410 return oauth_error("invalid_grant", "invalid refresh token");
411 end 411 end
412 412
413 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; 413 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes;
414
415 if params.scope then
416 local granted_scopes = set.new(parse_scopes(refresh_scopes));
417 local requested_scopes = parse_scopes(params.scope);
418 refresh_scopes = array.filter(requested_scopes, function(scope)
419 return granted_scopes:contains(scope);
420 end):concat(" ");
421 end
422
423 local username = jid.split(refresh_token_info.jid);
414 local new_scopes, role = filter_scopes(username, refresh_scopes); 424 local new_scopes, role = filter_scopes(username, refresh_scopes);
415 425
416 -- new_access_token() requires the actual token 426 -- new_access_token() requires the actual token
417 refresh_token_info.token = params.refresh_token; 427 refresh_token_info.token = params.refresh_token;
418 428
419 return json.encode(new_access_token( 429 return json.encode(new_access_token(refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info));
420 refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info
421 ));
422 end 430 end
423 431
424 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients 432 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients
425 433
426 function verifier_transforms.plain(code_verifier) 434 function verifier_transforms.plain(code_verifier)