Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5248:b8b2bf0c1b4b

mod_http_oauth2: Record details of OAuth client a token is issued to To enable use cases such as revoking all tokens issued to a particular OAuth client in case of security issues, or for informative purposes such as when listing tokens for users.
author Kim Alvefur <zash@zash.se>
date Tue, 14 Mar 2023 18:08:25 +0100
parent 5247:dc27b997e969
child 5252:85f0c6c1c24f
comparison
equal deleted inserted replaced
5247:dc27b997e969 5248:b8b2bf0c1b4b
131 text = err_desc and (err_name..": "..err_desc) or err_name; 131 text = err_desc and (err_name..": "..err_desc) or err_name;
132 extra = { oauth2_response = { error = err_name, error_description = err_desc } }; 132 extra = { oauth2_response = { error = err_name, error_description = err_desc } };
133 }); 133 });
134 end 134 end
135 135
136 local function new_access_token(token_jid, scope, ttl) 136 -- client_id / client_metadata are pretty large, filter out a subset of
137 local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, nil, "oauth2"); 137 -- properties that are deemed useful e.g. in case tokens issued to a certain
138 -- client needs to be revoked
139 local function client_subset(client)
140 return { name = client.client_name; uri = client.client_uri };
141 end
142
143 local function new_access_token(token_jid, scope, ttl, client)
144 local token_data;
145 if client then
146 token_data = { oauth2_client = client_subset(client) };
147 end
148 local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, token_data, "oauth2");
138 return { 149 return {
139 token_type = "bearer"; 150 token_type = "bearer";
140 access_token = token; 151 access_token = token;
141 expires_in = ttl; 152 expires_in = ttl;
142 scope = scope; 153 scope = scope;
233 244
234 -- Implicit flow 245 -- Implicit flow
235 function response_type_handlers.token(client, params, granted_jid) 246 function response_type_handlers.token(client, params, granted_jid)
236 local request_username, request_host = jid.split(granted_jid); 247 local request_username, request_host = jid.split(granted_jid);
237 local granted_scopes = filter_scopes(request_username, request_host, params.scope); 248 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
238 local token_info = new_access_token(granted_jid, granted_scopes, nil); 249 local token_info = new_access_token(granted_jid, granted_scopes, nil, client);
239 250
240 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); 251 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
241 token_info.state = params.state; 252 token_info.state = params.state;
242 redirect.fragment = http.formencode(token_info); 253 redirect.fragment = http.formencode(token_info);
243 254
282 if not code or type(code) ~= "table" or code_expired(code) then 293 if not code or type(code) ~= "table" or code_expired(code) then
283 module:log("debug", "authorization_code invalid or expired: %q", code); 294 module:log("debug", "authorization_code invalid or expired: %q", code);
284 return oauth_error("invalid_client", "incorrect credentials"); 295 return oauth_error("invalid_client", "incorrect credentials");
285 end 296 end
286 297
287 return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil)); 298 return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil, client));
288 end 299 end
289 300
290 -- Used to issue/verify short-lived tokens for the authorization process below 301 -- Used to issue/verify short-lived tokens for the authorization process below
291 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 }); 302 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 });
292 303