Mercurial > prosody-modules
changeset 5255:001c8fdc91a4
mod_http_oauth2: Add support for the "openid" scope
This "openid" scope is there to signal access to the userinfo endpoint,
which is needed for OIDC support.
We don't actually check this later because the userinfo endpoint only
returns info embedded in the token itself, but in the future we may want
to check this more carefully.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 16 Mar 2023 17:06:35 +0100 |
| parents | b0ccdd12a70d |
| children | 44f7edd4f845 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 5 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 16 17:03:48 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 16 17:06:35 2023 +0100 @@ -88,6 +88,9 @@ if requested_scope_string then -- Specific role(s) requested local requested_scopes = parse_scopes(requested_scope_string); for _, scope in ipairs(requested_scopes) do + if scope == "openid" then + granted_scopes:push(scope); + end if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then selected_role = scope; end @@ -772,8 +775,8 @@ jwks_uri = nil; -- TODO? userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil; registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; - scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))) - or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" }; + scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):push("openid") + or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator"; "openid" }; response_types_supported = array(it.keys(response_type_handlers)); authorization_response_iss_parameter_supported = true; };