prosody-modules
9b03238d4e0e
mod_http_oauth2/mod_http_oauth2.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 6334:9b03238d4e0e

mod_http_oauth2: Only issue id_token when granted openid scope OpenID Connect Core 1.0 states that OIDC is only being done if the "openid" scope is included. https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1 Less details given out by default is good for privacy and byte count.
author Kim Alvefur <zash@zash.se>
date Tue, 15 Jul 2025 01:46:38 +0200
parent 6327:578fa5d97daa
child 6336:6e80b2cb5fe6
comparison
equal deleted inserted replaced
6333:dbbbd5caf292 6334:9b03238d4e0e
1048 end 1048 end
1049 1049
1050 params.scope = granted_scopes:concat(" "); 1050 params.scope = granted_scopes:concat(" ");
1051 1051
1052 local user_jid = jid.join(auth_state.user.username, module.host); 1052 local user_jid = jid.join(auth_state.user.username, module.host);
1053 local client_secret = make_client_secret(params.client_id); 1053 local id_token;
1054 local id_token_signer = jwt.new_signer("HS256", client_secret); 1054 -- https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1
1055 local id_token = id_token_signer({ 1055 if array_contains(granted_scopes, "openid") then
1056 iss = get_issuer(); 1056 local client_secret = make_client_secret(params.client_id);
1057 sub = url.build({ scheme = "xmpp"; path = user_jid }); 1057 local id_token_signer = jwt.new_signer("HS256", client_secret);
1058 aud = params.client_id; 1058 id_token = id_token_signer({
1059 auth_time = auth_state.user.iat; 1059 iss = get_issuer();
1060 nonce = params.nonce; 1060 sub = url.build({ scheme = "xmpp"; path = user_jid });
1061 amr = auth_state.user.amr; -- RFC 8176: Authentication Method Reference Values 1061 aud = params.client_id;
1062 }); 1062 auth_time = auth_state.user.iat;
1063 nonce = params.nonce;
1064 amr = auth_state.user.amr; -- RFC 8176: Authentication Method Reference Values
1065 });
1066 end
1063 local ret = response_handler(client, params, user_jid, id_token); 1067 local ret = response_handler(client, params, user_jid, id_token);
1064 if errors.is_err(ret) then 1068 if errors.is_err(ret) then
1065 return error_response(request, redirect_uri, ret); 1069 return error_response(request, redirect_uri, ret);
1066 end 1070 end
1067 return ret; 1071 return ret;