Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5254:b0ccdd12a70d
mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes
This is to prepare to handle scopes like "openid" that don't map to
roles.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 16 Mar 2023 17:03:48 +0100 |
parents | 85f0c6c1c24f |
children | 001c8fdc91a4 |
comparison
equal
deleted
inserted
replaced
5253:d3b2d42daaee | 5254:b0ccdd12a70d |
---|---|
72 -- Tie it to the host if global | 72 -- Tie it to the host if global |
73 verification_key = hashes.hmac_sha256(registration_key, module.host); | 73 verification_key = hashes.hmac_sha256(registration_key, module.host); |
74 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); | 74 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); |
75 end | 75 end |
76 | 76 |
77 local function parse_scopes(scope_string) | |
78 return array(scope_string:gmatch("%S+")); | |
79 end | |
80 | |
77 local function filter_scopes(username, host, requested_scope_string) | 81 local function filter_scopes(username, host, requested_scope_string) |
78 if host ~= module.host then | 82 if host ~= module.host then |
79 return usermanager.get_jid_role(username.."@"..host, module.host).name; | 83 return usermanager.get_jid_role(username.."@"..host, module.host).name; |
80 end | 84 end |
81 | 85 |
82 if requested_scope_string then -- Specific role requested | 86 local selected_role, granted_scopes = nil, array(); |
83 -- TODO: The requested scope string is technically a space-delimited list | 87 |
84 -- of scopes, but for simplicity we're mapping this slot to role names. | 88 if requested_scope_string then -- Specific role(s) requested |
85 if usermanager.user_can_assume_role(username, module.host, requested_scope_string) then | 89 local requested_scopes = parse_scopes(requested_scope_string); |
86 return requested_scope_string; | 90 for _, scope in ipairs(requested_scopes) do |
87 end | 91 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then |
88 end | 92 selected_role = scope; |
89 | 93 end |
90 return usermanager.get_user_role(username, module.host).name; | 94 end |
95 end | |
96 | |
97 if not selected_role then | |
98 -- By default use the users' default role | |
99 selected_role = usermanager.get_user_role(username, module.host).name; | |
100 end | |
101 granted_scopes:push(selected_role); | |
102 | |
103 return granted_scopes:concat(" "), selected_role; | |
91 end | 104 end |
92 | 105 |
93 local function code_expires_in(code) --> number, seconds until code expires | 106 local function code_expires_in(code) --> number, seconds until code expires |
94 return os.difftime(code.expires, os.time()); | 107 return os.difftime(code.expires, os.time()); |
95 end | 108 end |
138 -- client needs to be revoked | 151 -- client needs to be revoked |
139 local function client_subset(client) | 152 local function client_subset(client) |
140 return { name = client.client_name; uri = client.client_uri }; | 153 return { name = client.client_name; uri = client.client_uri }; |
141 end | 154 end |
142 | 155 |
143 local function new_access_token(token_jid, scope, ttl, client) | 156 local function new_access_token(token_jid, role, scope, ttl, client) |
144 local token_data; | 157 local token_data = {}; |
145 if client then | 158 if client then |
146 token_data = { oauth2_client = client_subset(client) }; | 159 token_data.oauth2_client = client_subset(client); |
147 end | 160 end |
148 local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, token_data, "oauth2"); | 161 if next(token_data) == nil then |
162 token_data = nil; | |
163 end | |
164 local token = tokens.create_jid_token(token_jid, token_jid, role, ttl, token_data, "oauth2"); | |
149 return { | 165 return { |
150 token_type = "bearer"; | 166 token_type = "bearer"; |
151 access_token = token; | 167 access_token = token; |
152 expires_in = ttl; | 168 expires_in = ttl; |
153 scope = scope; | 169 scope = scope; |
186 if not usermanager.test_password(request_username, request_host, request_password) then | 202 if not usermanager.test_password(request_username, request_host, request_password) then |
187 return oauth_error("invalid_grant", "incorrect credentials"); | 203 return oauth_error("invalid_grant", "incorrect credentials"); |
188 end | 204 end |
189 | 205 |
190 local granted_jid = jid.join(request_username, request_host, request_resource); | 206 local granted_jid = jid.join(request_username, request_host, request_resource); |
191 local granted_scopes = filter_scopes(request_username, request_host, params.scope); | 207 local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope); |
192 return json.encode(new_access_token(granted_jid, granted_scopes, nil)); | 208 return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil)); |
193 end | 209 end |
194 | 210 |
195 function response_type_handlers.code(client, params, granted_jid) | 211 function response_type_handlers.code(client, params, granted_jid) |
196 local request_username, request_host = jid.split(granted_jid); | 212 local request_username, request_host = jid.split(granted_jid); |
197 local granted_scopes = filter_scopes(request_username, request_host, params.scope); | 213 local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope); |
198 | 214 |
199 local code = id.medium(); | 215 local code = id.medium(); |
200 local ok = codes:set(params.client_id .. "#" .. code, { | 216 local ok = codes:set(params.client_id .. "#" .. code, { |
201 expires = os.time() + 600; | 217 expires = os.time() + 600; |
202 granted_jid = granted_jid; | 218 granted_jid = granted_jid; |
203 granted_scopes = granted_scopes; | 219 granted_scopes = granted_scopes; |
220 granted_role = granted_role; | |
204 }); | 221 }); |
205 if not ok then | 222 if not ok then |
206 return {status_code = 429}; | 223 return {status_code = 429}; |
207 end | 224 end |
208 | 225 |
243 end | 260 end |
244 | 261 |
245 -- Implicit flow | 262 -- Implicit flow |
246 function response_type_handlers.token(client, params, granted_jid) | 263 function response_type_handlers.token(client, params, granted_jid) |
247 local request_username, request_host = jid.split(granted_jid); | 264 local request_username, request_host = jid.split(granted_jid); |
248 local granted_scopes = filter_scopes(request_username, request_host, params.scope); | 265 local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope); |
249 local token_info = new_access_token(granted_jid, granted_scopes, nil, client); | 266 local token_info = new_access_token(granted_jid, granted_role, granted_scopes, nil, client); |
250 | 267 |
251 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); | 268 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); |
252 token_info.state = params.state; | 269 token_info.state = params.state; |
253 redirect.fragment = http.formencode(token_info); | 270 redirect.fragment = http.formencode(token_info); |
254 | 271 |
293 if not code or type(code) ~= "table" or code_expired(code) then | 310 if not code or type(code) ~= "table" or code_expired(code) then |
294 module:log("debug", "authorization_code invalid or expired: %q", code); | 311 module:log("debug", "authorization_code invalid or expired: %q", code); |
295 return oauth_error("invalid_client", "incorrect credentials"); | 312 return oauth_error("invalid_client", "incorrect credentials"); |
296 end | 313 end |
297 | 314 |
298 return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil, client)); | 315 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, nil, client)); |
299 end | 316 end |
300 | 317 |
301 -- Used to issue/verify short-lived tokens for the authorization process below | 318 -- Used to issue/verify short-lived tokens for the authorization process below |
302 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 }); | 319 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 }); |
303 | 320 |
412 if not request_host or request_host ~= module.host then | 429 if not request_host or request_host ~= module.host then |
413 return oauth_error("invalid_request", "invalid JID"); | 430 return oauth_error("invalid_request", "invalid JID"); |
414 end | 431 end |
415 if request_password == component_secret then | 432 if request_password == component_secret then |
416 local granted_jid = jid.join(request_username, request_host, request_resource); | 433 local granted_jid = jid.join(request_username, request_host, request_resource); |
417 return json.encode(new_access_token(granted_jid, nil, nil)); | 434 return json.encode(new_access_token(granted_jid, nil, nil, nil)); |
418 end | 435 end |
419 return oauth_error("invalid_grant", "incorrect credentials"); | 436 return oauth_error("invalid_grant", "incorrect credentials"); |
420 end | 437 end |
421 | 438 |
422 -- TODO How would this make sense with components? | 439 -- TODO How would this make sense with components? |