# HG changeset patch # User Kim Alvefur # Date 1678813705 -3600 # Node ID b8b2bf0c1b4b3f540744bcc72210b1f87350077b # Parent dc27b997e969bdc27df726492f89372d3351fe37 mod_http_oauth2: Record details of OAuth client a token is issued to To enable use cases such as revoking all tokens issued to a particular OAuth client in case of security issues, or for informative purposes such as when listing tokens for users. diff -r dc27b997e969 -r b8b2bf0c1b4b mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sun Mar 12 17:56:23 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 14 18:08:25 2023 +0100 @@ -133,8 +133,19 @@ }); end -local function new_access_token(token_jid, scope, ttl) - local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, nil, "oauth2"); +-- client_id / client_metadata are pretty large, filter out a subset of +-- properties that are deemed useful e.g. in case tokens issued to a certain +-- client needs to be revoked +local function client_subset(client) + return { name = client.client_name; uri = client.client_uri }; +end + +local function new_access_token(token_jid, scope, ttl, client) + local token_data; + if client then + token_data = { oauth2_client = client_subset(client) }; + end + local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, token_data, "oauth2"); return { token_type = "bearer"; access_token = token; @@ -235,7 +246,7 @@ function response_type_handlers.token(client, params, granted_jid) local request_username, request_host = jid.split(granted_jid); local granted_scopes = filter_scopes(request_username, request_host, params.scope); - local token_info = new_access_token(granted_jid, granted_scopes, nil); + local token_info = new_access_token(granted_jid, granted_scopes, nil, client); local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); token_info.state = params.state; @@ -284,7 +295,7 @@ return oauth_error("invalid_client", "incorrect credentials"); end - return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil)); + return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil, client)); end -- Used to issue/verify short-lived tokens for the authorization process below