Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5199:f48628dc83f1
mod_http_oauth2: Separate client_secret verification key from JWT key
Allows configuring a real JWT key directly in the config, but
the client_secret will be different per host.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 22:48:59 +0100 |
| parents | 2e8a7a0f932d |
| children | afed7d5bd65c |
comparison
equal
deleted
inserted
replaced
| 5198:2e8a7a0f932d | 5199:f48628dc83f1 |
|---|---|
| 17 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration. | 17 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration. |
| 18 local registration_key = module:get_option_string("oauth2_registration_key"); | 18 local registration_key = module:get_option_string("oauth2_registration_key"); |
| 19 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); | 19 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); |
| 20 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 }); | 20 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 }); |
| 21 | 21 |
| 22 local verification_key; | |
| 22 local jwt_sign, jwt_verify; | 23 local jwt_sign, jwt_verify; |
| 23 if registration_key then | 24 if registration_key then |
| 24 -- Tie it to the host if global | 25 -- Tie it to the host if global |
| 25 registration_key = hashes.hmac_sha256(registration_key, module.host); | 26 verification_key = hashes.hmac_sha256(registration_key, module.host); |
| 26 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); | 27 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); |
| 27 end | 28 end |
| 28 | 29 |
| 29 local function filter_scopes(username, host, requested_scope_string) | 30 local function filter_scopes(username, host, requested_scope_string) |
| 30 if host ~= module.host then | 31 if host ~= module.host then |
| 194 }; | 195 }; |
| 195 } | 196 } |
| 196 end | 197 end |
| 197 | 198 |
| 198 local function make_secret(client_id) --> client_secret | 199 local function make_secret(client_id) --> client_secret |
| 199 return hashes.hmac_sha256(registration_key, client_id, true); | 200 return hashes.hmac_sha256(verification_key, client_id, true); |
| 200 end | 201 end |
| 201 | 202 |
| 202 local function verify_secret(client_id, client_secret) | 203 local function verify_secret(client_id, client_secret) |
| 203 return hashes.equals(make_secret(client_id), client_secret); | 204 return hashes.equals(make_secret(client_id), client_secret); |
| 204 end | 205 end |