prosody-modules
9d88c3d9eea5
mod_groups_oidc/mod_groups_oidc.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_groups_oidc/mod_groups_oidc.lua @ 6281:9d88c3d9eea5

mod_http_oauth2: Enforce the registered grant types Thus a client can limit itself to certain grant types. Not sure if this prevents any attacks, but what was the point of including this in the registration if it was not going to be enforced? This became easier to do with client_id being available earlier.
author Kim Alvefur <zash@zash.se>
date Mon, 02 Jun 2025 20:55:20 +0200
parent 5504:7d9dce4e7dd0
child 6337:486115e3b64d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5504
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local array = require "util.array";
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 module:add_item("openid-claim", "groups");
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local group_memberships = module:open_store("groups", "map");
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local function user_groups(username)
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 return pairs(group_memberships:get_all(username) or {});
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 end
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 module:hook("token/userinfo", function(event)
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local userinfo = event.userinfo;
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 if event.claims:contains("groups") then
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 userinfo.groups = array(user_groups(event.username));
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 end
7d9dce4e7dd0 mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 end);