Mercurial > prosody-modules

view mod_auth_oauth_external/mod_auth_oauth_external.lua @ 5418:f2c7bb3af600

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Add role selector to consent page List includes all roles available to the user, if more than one. Defaults to either the first role in the scope string or the users primary role. Earlier draft listed all roles, but having options that can't be selected is bad UX and the entire list of all roles on the server could be long, and perhaps even sensitive. Allows e.g. picking a role with fewer permissions than what might otherwise have been selected. UX wise, doing this with more checkboxes or possibly radio buttons would have been confusion and/or looked messier. Fixes the previous situation where unselecting a role would default to the primary role, which could be more permissions than requested.
author Kim Alvefur <zash@zash.se>
date Fri, 05 May 2023 01:23:13 +0200
parents d9bc8712a745
children b40299bbdf14
line wrap: on
line source

local http = require "net.http";
local async = require "util.async";
local json = require "util.json";
local sasl = require "util.sasl";

local issuer_identity = module:get_option_string("oauth_external_issuer");
local oidc_discovery_url = module:get_option_string("oauth_external_discovery_url",
	issuer_identity and issuer_identity .. "/.well-known/oauth-authorization-server" or nil);
local validation_endpoint = module:get_option_string("oauth_external_validation_endpoint");
local token_endpoint = module:get_option_string("oauth_external_token_endpoint");

local username_field = module:get_option_string("oauth_external_username_field", "preferred_username");
local allow_plain = module:get_option_boolean("oauth_external_resource_owner_password", true);

-- XXX Hold up, does whatever done here even need any of these things? Are we
-- the OAuth client? Is the XMPP client the OAuth client? What are we???
local client_id = module:get_option_string("oauth_external_client_id");
-- TODO -- local client_secret = module:get_option_string("oauth_external_client_secret");

--[[ More or less required endpoints
digraph "oauth endpoints" {
issuer -> discovery -> { registration validation }
registration -> { client_id client_secret }
{ client_id client_secret validation } -> required
}
--]]

local host = module.host;
local provider = {};

function provider.get_sasl_handler()
	local profile = {};
	profile.http_client = http.default; -- TODO configurable
	local extra = { oidc_discovery_url = oidc_discovery_url };
	if token_endpoint and allow_plain then
		local map_username = function (username, _realm) return username; end; --jid.join; -- TODO configurable
		function profile:plain_test(username, password, realm)
			local tok, err = async.wait_for(self.profile.http_client:request(token_endpoint, {
				headers = { ["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"; ["Accept"] = "application/json" };
				body = http.formencode({
					grant_type = "password";
					client_id = client_id;
					username = map_username(username, realm);
					password = password;
					scope = "openid";
				});
			}))
			if err or not (tok.code >= 200 and tok.code < 300) then
				return false, nil;
			end
			local token_resp = json.decode(tok.body);
			if not token_resp or string.lower(token_resp.token_type or "") ~= "bearer" then
				return false, nil;
			end
			local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint,
				{ headers = { ["Authorization"] = "Bearer " .. token_resp.access_token; ["Accept"] = "application/json" } }));
			if err then
				return false, nil;
			end
			if not (ret.code >= 200 and ret.code < 300) then
				return false, nil;
			end
			local response = json.decode(ret.body);
			if type(response) ~= "table" or (response[username_field]) ~= username then
				return false, nil, nil;
			end
			if response.jid then
				self.username, self.realm, self.resource = jid.prepped_split(response.jid, true);
			end
			self.role = response.role;
			self.token_info = response;
			return true, true;
		end
	end
	function profile:oauthbearer(token)
		if token == "" then
			return false, nil, extra;
		end

		local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint,
			{ headers = { ["Authorization"] = "Bearer " .. token; ["Accept"] = "application/json" } }));
		if err then
			return false, nil, extra;
		end
		local response = ret and json.decode(ret.body);
		if not (ret.code >= 200 and ret.code < 300) then
			return false, nil, response or extra;
		end
		if type(response) ~= "table" or type(response[username_field]) ~= "string" then
			return false, nil, nil;
		end

		return response[username_field], true, response;
	end
	return sasl.new(host, profile);
end

module:provides("auth", provider);