Software /
code /
prosody-modules
Annotate
mod_groups_oidc/mod_groups_oidc.lua @ 5624:d8622797e315
mod_http_oauth2: Shorten default token validity periods
With refresh tokens, short lifetime for access tokens is not a problem.
The arbitrary choice of one hour seems reasonable. RFC 6749 has it as
example value.
One week for refresh tokens matching the default archive retention
period. This means that a client that remains unused for one week will
have to sign in again. An actively used client will continually push
that forward with each used refresh token.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 24 Jul 2023 01:30:14 +0200 |
parent | 5504:7d9dce4e7dd0 |
rev | line source |
---|---|
5504
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 local array = require "util.array"; |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 module:add_item("openid-claim", "groups"); |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local group_memberships = module:open_store("groups", "map"); |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local function user_groups(username) |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 return pairs(group_memberships:get_all(username) or {}); |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 end |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 module:hook("token/userinfo", function(event) |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local userinfo = event.userinfo; |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 if event.claims:contains("groups") then |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 userinfo.groups = array(user_groups(event.username)); |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 end |
7d9dce4e7dd0
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 end); |