# HG changeset patch # User Kim Alvefur # Date 1678982795 -3600 # Node ID 001c8fdc91a4222cfd78fbc8fa04628f91d24225 # Parent b0ccdd12a70d8de3a6f453fe568feadb3870f31e mod_http_oauth2: Add support for the "openid" scope This "openid" scope is there to signal access to the userinfo endpoint, which is needed for OIDC support. We don't actually check this later because the userinfo endpoint only returns info embedded in the token itself, but in the future we may want to check this more carefully. diff -r b0ccdd12a70d -r 001c8fdc91a4 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 16 17:03:48 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 16 17:06:35 2023 +0100 @@ -88,6 +88,9 @@ if requested_scope_string then -- Specific role(s) requested local requested_scopes = parse_scopes(requested_scope_string); for _, scope in ipairs(requested_scopes) do + if scope == "openid" then + granted_scopes:push(scope); + end if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then selected_role = scope; end @@ -772,8 +775,8 @@ jwks_uri = nil; -- TODO? userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil; registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; - scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))) - or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" }; + scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):push("openid") + or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator"; "openid" }; response_types_supported = array(it.keys(response_type_handlers)); authorization_response_iss_parameter_supported = true; };