diff mod_http_oauth2/mod_http_oauth2.lua @ 5375:8b7d97f0ae8a

mod_http_oauth2: Fix to include "openid" scope in discovery metadata The "openid" scope was left out of openid_claims since it is treated differently from the other scopes.
author Kim Alvefur <zash@zash.se>
date Wed, 26 Apr 2023 23:41:49 +0200
parents 93d445b26063
children ca477408f90b
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Wed Apr 26 12:42:09 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed Apr 26 23:41:49 2023 +0200
@@ -81,7 +81,7 @@
 	return array(scope_string:gmatch("%S+"));
 end
 
-local openid_claims = set.new({ "profile"; "email"; "address"; "phone" });
+local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" });
 
 local function filter_scopes(username, requested_scope_string)
 	local selected_role, granted_scopes = nil, array();
@@ -89,7 +89,7 @@
 	if requested_scope_string then -- Specific role(s) requested
 		local requested_scopes = parse_scopes(requested_scope_string);
 		for _, scope in ipairs(requested_scopes) do
-			if scope == "openid" or openid_claims:contains(scope) then
+			if openid_claims:contains(scope) then
 				granted_scopes:push(scope);
 			end
 			if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then
@@ -808,6 +808,7 @@
 	}
 
 	local token_claims = set.intersection(openid_claims, scopes);
+	token_claims:remove("openid"); -- that's "iss" and "sub" above
 	if not token_claims:empty() then
 		-- Another module can do that
 		module:fire_event("token/userinfo", {