diff mod_http_oauth2/mod_http_oauth2.lua @ 5467:1c78a97a1091

mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role This will be the first step towards defining a standard set of XMPP scopes. "xmpp" behaves as an alias for the user's default role, so that the client does not need to know about the various prosody:* roles.
author Kim Alvefur <zash@zash.se>
date Wed, 17 May 2023 19:40:27 +0200
parents 398d936e77fb
children 14b5446e22e1
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Wed May 17 18:49:22 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed May 17 19:40:27 2023 +0200
@@ -102,7 +102,7 @@
 	return array(scope_string:gmatch("%S+"));
 end
 
-local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" });
+local openid_claims = set.new({ "openid"; "profile"; "email"; "address"; "phone" });
 
 -- array -> array, array, array
 local function split_scopes(scope_list)
@@ -111,7 +111,7 @@
 	for _, scope in ipairs(scope_list) do
 		if openid_claims:contains(scope) then
 			claims:push(scope);
-		elseif all_roles[scope] then
+		elseif scope == "xmpp" or all_roles[scope] then
 			roles:push(scope);
 		else
 			unknown:push(scope);
@@ -121,7 +121,7 @@
 end
 
 local function can_assume_role(username, requested_role)
-	return usermanager.user_can_assume_role(username, module.host, requested_role);
+	return requested_role == "xmpp" or usermanager.user_can_assume_role(username, module.host, requested_role);
 end
 
 -- function (string) : function(string) : boolean
@@ -223,6 +223,12 @@
 		refresh_token = refresh_token_info.token;
 	end
 
+	if role == "xmpp" then
+		-- Special scope meaning the users default role.
+		local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host);
+		role = user_default_role and user_default_role.name;
+	end
+
 	local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2");
 
 	local expires_at = access_token_info.expires;
@@ -1080,7 +1086,8 @@
 				authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil;
 				token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil;
 				registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
-				scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):append(array(openid_claims:items()));
+				scopes_supported = usermanager.get_all_roles
+					and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items()));
 				response_types_supported = array(it.keys(response_type_handlers));
 				token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" });
 				op_policy_uri = module:get_option_string("oauth2_policy_url", nil);