Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5424:b45d9a81b3da
mod_http_oauth2: Revert role selector, going to try something else
Back out f2c7bb3af600
Allowing only a single role to be encoded into the grant takes away the
possibility of having multiple roles in the grant, one of which is
selected when issuing an access token. It also takes away the ability to
have zero roles granted, which could be useful e.g. when you only need
OIDC scopes.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 07 May 2023 19:40:57 +0200 |
| parents | 5b2352dda31f |
| children | 3b30635d215c |
comparison
equal
deleted
inserted
replaced
| 5423:5b2352dda31f | 5424:b45d9a81b3da |
|---|---|
| 483 error = user == "token-expired" and "Session expired - try again" or nil; | 483 error = user == "token-expired" and "Session expired - try again" or nil; |
| 484 }; | 484 }; |
| 485 end | 485 end |
| 486 | 486 |
| 487 local scope = array():append(form):filter(function(field) | 487 local scope = array():append(form):filter(function(field) |
| 488 return field.name == "scope" or field.name == "role"; | 488 return field.name == "scope"; |
| 489 end):pluck("value"):concat(" "); | 489 end):pluck("value"):concat(" "); |
| 490 | 490 |
| 491 user.token = form.user_token; | 491 user.token = form.user_token; |
| 492 return { | 492 return { |
| 493 user = user; | 493 user = user; |
| 660 if not auth_state.user then | 660 if not auth_state.user then |
| 661 -- Render login page | 661 -- Render login page |
| 662 return render_page(templates.login, { state = auth_state, client = client }); | 662 return render_page(templates.login, { state = auth_state, client = client }); |
| 663 elseif auth_state.consent == nil then | 663 elseif auth_state.consent == nil then |
| 664 -- Render consent page | 664 -- Render consent page |
| 665 local scopes, requested_roles = split_scopes(parse_scopes(params.scope or "")); | 665 return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope or "") }, true); |
| 666 local default_role = select_role(auth_state.user.username, requested_roles); | |
| 667 local roles = array(it.values(usermanager.get_all_roles(module.host))):filter(function(role) | |
| 668 return can_assume_role(auth_state.user.username, role.name); | |
| 669 end):sort(function(a, b) | |
| 670 return (a.priority or 0) < (b.priority or 0) | |
| 671 end):map(function(role) | |
| 672 return { name = role.name; selected = role.name == default_role }; | |
| 673 end); | |
| 674 if not roles[2] then | |
| 675 -- Only one role to choose from, might as well skip the selector | |
| 676 roles = nil; | |
| 677 end | |
| 678 return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes; roles = roles }, true); | |
| 679 elseif not auth_state.consent then | 666 elseif not auth_state.consent then |
| 680 -- Notify client of rejection | 667 -- Notify client of rejection |
| 681 return error_response(request, oauth_error("access_denied")); | 668 return error_response(request, oauth_error("access_denied")); |
| 682 end | 669 end |
| 683 -- else auth_state.consent == true | 670 -- else auth_state.consent == true |