comparison mod_http_oauth2/mod_http_oauth2.lua @ 5280:eb482defd9b0

mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86
author Matthew Wild <mwild1@gmail.com>
date Mon, 27 Mar 2023 18:51:12 +0100
parents 2b858cccac8f
children 53c6f49dcbb8
comparison
equal deleted inserted replaced
5279:2b858cccac8f 5280:eb482defd9b0
163 if next(token_data) == nil then 163 if next(token_data) == nil then
164 token_data = nil; 164 token_data = nil;
165 end 165 end
166 166
167 local refresh_token; 167 local refresh_token;
168 local access_token, access_token_info 168 local grant = refresh_token_info and refresh_token_info.grant;
169 -- No existing refresh token, and we're issuing a time-limited access token? 169 if not grant then
170 -- Create a refresh token (unless refresh_token_info == false) 170 -- No existing grant, create one
171 if refresh_token_info == false or not default_access_ttl then 171 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data);
172 -- Caller does not want a refresh token, or access tokens are not configured to expire 172 -- Create refresh token for the grant if desired
173 -- So, just create a standalone access token 173 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh");
174 access_token, access_token_info = tokens.create_jid_token(token_jid, token_jid, role, default_access_ttl, token_data, "oauth2");
175 else 174 else
176 -- We're issuing both a refresh and an access token 175 -- Grant exists, reuse existing refresh token
177 if not refresh_token_info then 176 refresh_token = refresh_token_info.token;
178 refresh_token, refresh_token_info = tokens.create_jid_token(token_jid, token_jid, role, default_refresh_ttl, token_data, "oauth2-refresh"); 177 end
179 else 178
180 refresh_token = refresh_token_info.token; 179 local access_token, access_token_info = tokens.create_token(token_jid, grant, role, default_access_ttl, "oauth2");
181 end 180
182 access_token, access_token_info = tokens.create_sub_token(token_jid, refresh_token_info.id, role, default_access_ttl, token_data, "oauth2");
183 end
184 local expires_at = access_token_info.expires; 181 local expires_at = access_token_info.expires;
185 return { 182 return {
186 token_type = "bearer"; 183 token_type = "bearer";
187 access_token = access_token; 184 access_token = access_token;
188 expires_in = expires_at and (expires_at - os.time()) or nil; 185 expires_in = expires_at and (expires_at - os.time()) or nil;
189 scope = scope_string; 186 scope = scope_string;
190 id_token = id_token; 187 id_token = id_token;
191 refresh_token = refresh_token; 188 refresh_token = refresh_token or nil;
192 }; 189 };
193 end 190 end
194 191
195 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string 192 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
196 if not query_redirect_uri then 193 if not query_redirect_uri then
364 end 361 end
365 362
366 -- new_access_token() requires the actual token 363 -- new_access_token() requires the actual token
367 refresh_token_info.token = params.refresh_token; 364 refresh_token_info.token = params.refresh_token;
368 365
369 return json.encode(new_access_token(token_info.jid, token_info.role, token_info.data.oauth2_scopes, client, nil, token_info)); 366 return json.encode(new_access_token(
367 refresh_token_info.jid, refresh_token_info.role, refresh_token_info.data.oauth2_scopes, client, nil, refresh_token_info
368 ));
370 end 369 end
371 370
372 -- Used to issue/verify short-lived tokens for the authorization process below 371 -- Used to issue/verify short-lived tokens for the authorization process below
373 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 }); 372 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 });
374 373