Software /
code /
prosody-modules
Annotate
mod_auth_oauth_external/mod_auth_oauth_external.lua @ 5461:06640647d193
mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs
Per draft-ietf-oauth-v2-1-08#section-8.4.2
> The authorization server MUST allow any port to be specified at the
> time of the request for loopback IP redirect URIs, to accommodate
> clients that obtain an available ephemeral port from the operating
> system at the time of the request.
Uncertain if it should normalize the host part, but it also seems
harmless to treat IPv6 and IPv4 the same here.
One thing is that "localhost" is NOT RECOMMENDED because it can
sometimes be pointed to non-loopback interfaces via DNS or hosts file.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 17 May 2023 13:51:30 +0200 |
parent | 5443:4e79f344ae2f |
child | 5724:0207fd248480 |
rev | line source |
---|---|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 local http = require "net.http"; |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 local async = require "util.async"; |
5433
b40299bbdf14
mod_auth_oauth_external: Fix missing import of util.jid
Kim Alvefur <zash@zash.se>
parents:
5346
diff
changeset
|
3 local jid = require "util.jid"; |
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local json = require "util.json"; |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local sasl = require "util.sasl"; |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
5346
d9bc8712a745
mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents:
5345
diff
changeset
|
7 local issuer_identity = module:get_option_string("oauth_external_issuer"); |
d9bc8712a745
mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents:
5345
diff
changeset
|
8 local oidc_discovery_url = module:get_option_string("oauth_external_discovery_url", |
d9bc8712a745
mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents:
5345
diff
changeset
|
9 issuer_identity and issuer_identity .. "/.well-known/oauth-authorization-server" or nil); |
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local validation_endpoint = module:get_option_string("oauth_external_validation_endpoint"); |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
11 local token_endpoint = module:get_option_string("oauth_external_token_endpoint"); |
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 local username_field = module:get_option_string("oauth_external_username_field", "preferred_username"); |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
14 local allow_plain = module:get_option_boolean("oauth_external_resource_owner_password", true); |
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 -- XXX Hold up, does whatever done here even need any of these things? Are we |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 -- the OAuth client? Is the XMPP client the OAuth client? What are we??? |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
18 local client_id = module:get_option_string("oauth_external_client_id"); |
5435
b3e7886fea6a
mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents:
5434
diff
changeset
|
19 local client_secret = module:get_option_string("oauth_external_client_secret"); |
5436
e7d99bacd0e8
mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents:
5435
diff
changeset
|
20 local scope = module:get_option_string("oauth_external_scope", "openid"); |
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 --[[ More or less required endpoints |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 digraph "oauth endpoints" { |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 issuer -> discovery -> { registration validation } |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 registration -> { client_id client_secret } |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 { client_id client_secret validation } -> required |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 } |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 --]] |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 local host = module.host; |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 local provider = {}; |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
5442
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
33 local function not_implemented() |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
34 return nil, "method not implemented" |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
35 end |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
36 |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
37 -- With proper OAuth 2, most of these should be handled at the atuhorization |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
38 -- server, no there. |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
39 provider.test_password = not_implemented; |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
40 provider.get_password = not_implemented; |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
41 provider.set_password = not_implemented; |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
42 provider.create_user = not_implemented; |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
43 provider.delete_user = not_implemented; |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
44 |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
45 function provider.user_exists(_username) |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
46 -- Can this even be done in a generic way in OAuth 2? |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
47 -- OIDC and WebFinger perhaps? |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
48 return true; |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
49 end |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
50 |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
51 function provider.users() |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
52 -- TODO this could be done by recording known users locally |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
53 return function () |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
54 module:log("debug", "User iteration not supported"); |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
55 return nil; |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
56 end |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
57 end |
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
58 |
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 function provider.get_sasl_handler() |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 local profile = {}; |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 profile.http_client = http.default; -- TODO configurable |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 local extra = { oidc_discovery_url = oidc_discovery_url }; |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
63 if token_endpoint and allow_plain then |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
64 local map_username = function (username, _realm) return username; end; --jid.join; -- TODO configurable |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
65 function profile:plain_test(username, password, realm) |
5437
49306afbf722
mod_auth_oauth_external: Expect XEP-0106 escaped username in PLAIN
Kim Alvefur <zash@zash.se>
parents:
5436
diff
changeset
|
66 username = jid.unescape(username); -- COMPAT Mastodon |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
67 local tok, err = async.wait_for(self.profile.http_client:request(token_endpoint, { |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
68 headers = { ["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"; ["Accept"] = "application/json" }; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
69 body = http.formencode({ |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
70 grant_type = "password"; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
71 client_id = client_id; |
5435
b3e7886fea6a
mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents:
5434
diff
changeset
|
72 client_secret = client_secret; |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
73 username = map_username(username, realm); |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
74 password = password; |
5436
e7d99bacd0e8
mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents:
5435
diff
changeset
|
75 scope = scope; |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
76 }); |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
77 })) |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
78 if err or not (tok.code >= 200 and tok.code < 300) then |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
79 return false, nil; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
80 end |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
81 local token_resp = json.decode(tok.body); |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
82 if not token_resp or string.lower(token_resp.token_type or "") ~= "bearer" then |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
83 return false, nil; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
84 end |
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
85 if not validation_endpoint then |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
86 -- We're not going to get more info, only the username |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
87 self.username = jid.escape(username); |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
88 self.token_info = token_resp; |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
89 return true, true; |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
90 end |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
91 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
92 { headers = { ["Authorization"] = "Bearer " .. token_resp.access_token; ["Accept"] = "application/json" } })); |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
93 if err then |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
94 return false, nil; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
95 end |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
96 if not (ret.code >= 200 and ret.code < 300) then |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
97 return false, nil; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
98 end |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
99 local response = json.decode(ret.body); |
5440
82a14082be3f
mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents:
5439
diff
changeset
|
100 if type(response) ~= "table" then |
82a14082be3f
mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents:
5439
diff
changeset
|
101 return false, nil, nil; |
82a14082be3f
mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents:
5439
diff
changeset
|
102 elseif type(response[username_field]) ~= "string" then |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
103 return false, nil, nil; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
104 end |
5440
82a14082be3f
mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents:
5439
diff
changeset
|
105 self.username = jid.escape(response[username_field]); |
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
106 self.token_info = response; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
107 return true, true; |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
108 end |
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
109 end |
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
110 if validation_endpoint then |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
111 function profile:oauthbearer(token) |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
112 if token == "" then |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
113 return false, nil, extra; |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
114 end |
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
115 |
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
116 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, { |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
117 headers = { ["Authorization"] = "Bearer " .. token; ["Accept"] = "application/json" }; |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
118 })); |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
119 if err then |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
120 return false, nil, extra; |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
121 end |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
122 local response = ret and json.decode(ret.body); |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
123 if not (ret.code >= 200 and ret.code < 300) then |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
124 return false, nil, response or extra; |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
125 end |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
126 if type(response) ~= "table" or type(response[username_field]) ~= "string" then |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
127 return false, nil, nil; |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
128 end |
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
129 |
5443
4e79f344ae2f
mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
5442
diff
changeset
|
130 return jid.escape(response[username_field]), true, response; |
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
131 end |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
132 end |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
133 return sasl.new(host, profile); |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
134 end |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
135 |
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
136 module:provides("auth", provider); |