Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5279:2b858cccac8f

mod_http_oauth2: Add support for refresh tokens
author Matthew Wild <mwild1@gmail.com>
date Fri, 24 Mar 2023 14:29:07 +0000
parent 5278:d94dba396f9f
child 5280:eb482defd9b0
comparison
equal deleted inserted replaced
5278:d94dba396f9f 5279:2b858cccac8f
59 return resp; 59 return resp;
60 end 60 end
61 61
62 local tokens = module:depends("tokenauth"); 62 local tokens = module:depends("tokenauth");
63 63
64 local default_access_ttl = module:get_option_number("oauth2_access_token_ttl", 86400);
65 local default_refresh_ttl = module:get_option_number("oauth2_refresh_token_ttl", nil);
66
64 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration. 67 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration.
65 local registration_key = module:get_option_string("oauth2_registration_key"); 68 local registration_key = module:get_option_string("oauth2_registration_key");
66 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); 69 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");
67 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 }); 70 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 });
68 71
150 -- client needs to be revoked 153 -- client needs to be revoked
151 local function client_subset(client) 154 local function client_subset(client)
152 return { name = client.client_name; uri = client.client_uri }; 155 return { name = client.client_name; uri = client.client_uri };
153 end 156 end
154 157
155 local function new_access_token(token_jid, role, scope, ttl, client, id_token) 158 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info)
156 local token_data = {}; 159 local token_data = { oauth2_scopes = scope_string, oauth2_client = nil };
157 if client then 160 if client then
158 token_data.oauth2_client = client_subset(client); 161 token_data.oauth2_client = client_subset(client);
159 end 162 end
160 if next(token_data) == nil then 163 if next(token_data) == nil then
161 token_data = nil; 164 token_data = nil;
162 end 165 end
163 local token = tokens.create_jid_token(token_jid, token_jid, role, ttl, token_data, "oauth2"); 166
167 local refresh_token;
168 local access_token, access_token_info
169 -- No existing refresh token, and we're issuing a time-limited access token?
170 -- Create a refresh token (unless refresh_token_info == false)
171 if refresh_token_info == false or not default_access_ttl then
172 -- Caller does not want a refresh token, or access tokens are not configured to expire
173 -- So, just create a standalone access token
174 access_token, access_token_info = tokens.create_jid_token(token_jid, token_jid, role, default_access_ttl, token_data, "oauth2");
175 else
176 -- We're issuing both a refresh and an access token
177 if not refresh_token_info then
178 refresh_token, refresh_token_info = tokens.create_jid_token(token_jid, token_jid, role, default_refresh_ttl, token_data, "oauth2-refresh");
179 else
180 refresh_token = refresh_token_info.token;
181 end
182 access_token, access_token_info = tokens.create_sub_token(token_jid, refresh_token_info.id, role, default_access_ttl, token_data, "oauth2");
183 end
184 local expires_at = access_token_info.expires;
164 return { 185 return {
165 token_type = "bearer"; 186 token_type = "bearer";
166 access_token = token; 187 access_token = access_token;
167 expires_in = ttl; 188 expires_in = expires_at and (expires_at - os.time()) or nil;
168 scope = scope; 189 scope = scope_string;
169 id_token = id_token; 190 id_token = id_token;
170 -- TODO: include refresh_token when implemented 191 refresh_token = refresh_token;
171 }; 192 };
172 end 193 end
173 194
174 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string 195 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
175 if not query_redirect_uri then 196 if not query_redirect_uri then
203 return oauth_error("invalid_grant", "incorrect credentials"); 224 return oauth_error("invalid_grant", "incorrect credentials");
204 end 225 end
205 226
206 local granted_jid = jid.join(request_username, request_host, request_resource); 227 local granted_jid = jid.join(request_username, request_host, request_resource);
207 local granted_scopes, granted_role = filter_scopes(request_username, params.scope); 228 local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
208 return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil, nil)); 229 return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil));
209 end 230 end
210 231
211 function response_type_handlers.code(client, params, granted_jid, id_token) 232 function response_type_handlers.code(client, params, granted_jid, id_token)
212 local request_username, request_host = jid.split(granted_jid); 233 local request_username, request_host = jid.split(granted_jid);
213 if not request_host or request_host ~= module.host then 234 if not request_host or request_host ~= module.host then
268 local request_username, request_host = jid.split(granted_jid); 289 local request_username, request_host = jid.split(granted_jid);
269 if not request_host or request_host ~= module.host then 290 if not request_host or request_host ~= module.host then
270 return oauth_error("invalid_request", "invalid JID"); 291 return oauth_error("invalid_request", "invalid JID");
271 end 292 end
272 local granted_scopes, granted_role = filter_scopes(request_username, params.scope); 293 local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
273 local token_info = new_access_token(granted_jid, granted_role, granted_scopes, nil, client, nil); 294 local token_info = new_access_token(granted_jid, granted_role, granted_scopes, client, nil);
274 295
275 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); 296 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
276 token_info.state = params.state; 297 token_info.state = params.state;
277 redirect.fragment = http.formencode(token_info); 298 redirect.fragment = http.formencode(token_info);
278 299
317 if not code or type(code) ~= "table" or code_expired(code) then 338 if not code or type(code) ~= "table" or code_expired(code) then
318 module:log("debug", "authorization_code invalid or expired: %q", code); 339 module:log("debug", "authorization_code invalid or expired: %q", code);
319 return oauth_error("invalid_client", "incorrect credentials"); 340 return oauth_error("invalid_client", "incorrect credentials");
320 end 341 end
321 342
322 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, nil, client, code.id_token)); 343 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token));
344 end
345
346 function grant_type_handlers.refresh_token(params)
347 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
348 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
349 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end
350
351 local client_ok, client = jwt_verify(params.client_id);
352 if not client_ok then
353 return oauth_error("invalid_client", "incorrect credentials");
354 end
355
356 if not verify_client_secret(params.client_id, params.client_secret) then
357 module:log("debug", "client_secret mismatch");
358 return oauth_error("invalid_client", "incorrect credentials");
359 end
360
361 local refresh_token_info = tokens.get_token_info(params.refresh_token);
362 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then
363 return oauth_error("invalid_grant", "invalid refresh token");
364 end
365
366 -- new_access_token() requires the actual token
367 refresh_token_info.token = params.refresh_token;
368
369 return json.encode(new_access_token(token_info.jid, token_info.role, token_info.data.oauth2_scopes, client, nil, token_info));
323 end 370 end
324 371
325 -- Used to issue/verify short-lived tokens for the authorization process below 372 -- Used to issue/verify short-lived tokens for the authorization process below
326 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 }); 373 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 });
327 374
457 location = redirect_uri; 504 location = redirect_uri;
458 }; 505 };
459 }; 506 };
460 end 507 end
461 508
462 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"}) 509 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password", "refresh_token"})
463 for handler_type in pairs(grant_type_handlers) do 510 for handler_type in pairs(grant_type_handlers) do
464 if not allowed_grant_type_handlers:contains(handler_type) then 511 if not allowed_grant_type_handlers:contains(handler_type) then
465 module:log("debug", "Grant type %q disabled", handler_type); 512 module:log("debug", "Grant type %q disabled", handler_type);
466 grant_type_handlers[handler_type] = nil; 513 grant_type_handlers[handler_type] = nil;
467 else 514 else