Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5375:8b7d97f0ae8a

mod_http_oauth2: Fix to include "openid" scope in discovery metadata The "openid" scope was left out of openid_claims since it is treated differently from the other scopes.
author Kim Alvefur <zash@zash.se>
date Wed, 26 Apr 2023 23:41:49 +0200
parent 5367:93d445b26063
child 5377:ca477408f90b
comparison
equal deleted inserted replaced
5374:d9397d6a5513 5375:8b7d97f0ae8a
79 79
80 local function parse_scopes(scope_string) 80 local function parse_scopes(scope_string)
81 return array(scope_string:gmatch("%S+")); 81 return array(scope_string:gmatch("%S+"));
82 end 82 end
83 83
84 local openid_claims = set.new({ "profile"; "email"; "address"; "phone" }); 84 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" });
85 85
86 local function filter_scopes(username, requested_scope_string) 86 local function filter_scopes(username, requested_scope_string)
87 local selected_role, granted_scopes = nil, array(); 87 local selected_role, granted_scopes = nil, array();
88 88
89 if requested_scope_string then -- Specific role(s) requested 89 if requested_scope_string then -- Specific role(s) requested
90 local requested_scopes = parse_scopes(requested_scope_string); 90 local requested_scopes = parse_scopes(requested_scope_string);
91 for _, scope in ipairs(requested_scopes) do 91 for _, scope in ipairs(requested_scopes) do
92 if scope == "openid" or openid_claims:contains(scope) then 92 if openid_claims:contains(scope) then
93 granted_scopes:push(scope); 93 granted_scopes:push(scope);
94 end 94 end
95 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then 95 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then
96 selected_role = scope; 96 selected_role = scope;
97 end 97 end
806 iss = get_issuer(); 806 iss = get_issuer();
807 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); 807 sub = url.build({ scheme = "xmpp"; path = token_info.jid });
808 } 808 }
809 809
810 local token_claims = set.intersection(openid_claims, scopes); 810 local token_claims = set.intersection(openid_claims, scopes);
811 token_claims:remove("openid"); -- that's "iss" and "sub" above
811 if not token_claims:empty() then 812 if not token_claims:empty() then
812 -- Another module can do that 813 -- Another module can do that
813 module:fire_event("token/userinfo", { 814 module:fire_event("token/userinfo", {
814 token = token_info; 815 token = token_info;
815 claims = token_claims; 816 claims = token_claims;