prosody-modules
eb482defd9b0
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 5280:eb482defd9b0
mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 27 Mar 2023 18:51:12 +0100 |
| parent | 5279:2b858cccac8f |
| child | 5335:53c6f49dcbb8 |
comparison
equal
deleted
inserted
replaced
| 5279:2b858cccac8f | 5280:eb482defd9b0 |
|---|---|
| 163 if next(token_data) == nil then | 163 if next(token_data) == nil then |
| 164 token_data = nil; | 164 token_data = nil; |
| 165 end | 165 end |
| 166 | 166 |
| 167 local refresh_token; | 167 local refresh_token; |
| 168 local access_token, access_token_info | 168 local grant = refresh_token_info and refresh_token_info.grant; |
| 169 -- No existing refresh token, and we're issuing a time-limited access token? | 169 if not grant then |
| 170 -- Create a refresh token (unless refresh_token_info == false) | 170 -- No existing grant, create one |
| 171 if refresh_token_info == false or not default_access_ttl then | 171 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data); |
| 172 -- Caller does not want a refresh token, or access tokens are not configured to expire | 172 -- Create refresh token for the grant if desired |
| 173 -- So, just create a standalone access token | 173 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh"); |
| 174 access_token, access_token_info = tokens.create_jid_token(token_jid, token_jid, role, default_access_ttl, token_data, "oauth2"); | |
| 175 else | 174 else |
| 176 -- We're issuing both a refresh and an access token | 175 -- Grant exists, reuse existing refresh token |
| 177 if not refresh_token_info then | 176 refresh_token = refresh_token_info.token; |
| 178 refresh_token, refresh_token_info = tokens.create_jid_token(token_jid, token_jid, role, default_refresh_ttl, token_data, "oauth2-refresh"); | 177 end |
| 179 else | 178 |
| 180 refresh_token = refresh_token_info.token; | 179 local access_token, access_token_info = tokens.create_token(token_jid, grant, role, default_access_ttl, "oauth2"); |
| 181 end | 180 |
| 182 access_token, access_token_info = tokens.create_sub_token(token_jid, refresh_token_info.id, role, default_access_ttl, token_data, "oauth2"); | |
| 183 end | |
| 184 local expires_at = access_token_info.expires; | 181 local expires_at = access_token_info.expires; |
| 185 return { | 182 return { |
| 186 token_type = "bearer"; | 183 token_type = "bearer"; |
| 187 access_token = access_token; | 184 access_token = access_token; |
| 188 expires_in = expires_at and (expires_at - os.time()) or nil; | 185 expires_in = expires_at and (expires_at - os.time()) or nil; |
| 189 scope = scope_string; | 186 scope = scope_string; |
| 190 id_token = id_token; | 187 id_token = id_token; |
| 191 refresh_token = refresh_token; | 188 refresh_token = refresh_token or nil; |
| 192 }; | 189 }; |
| 193 end | 190 end |
| 194 | 191 |
| 195 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string | 192 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string |
| 196 if not query_redirect_uri then | 193 if not query_redirect_uri then |
| 364 end | 361 end |
| 365 | 362 |
| 366 -- new_access_token() requires the actual token | 363 -- new_access_token() requires the actual token |
| 367 refresh_token_info.token = params.refresh_token; | 364 refresh_token_info.token = params.refresh_token; |
| 368 | 365 |
| 369 return json.encode(new_access_token(token_info.jid, token_info.role, token_info.data.oauth2_scopes, client, nil, token_info)); | 366 return json.encode(new_access_token( |
| 367 refresh_token_info.jid, refresh_token_info.role, refresh_token_info.data.oauth2_scopes, client, nil, refresh_token_info | |
| 368 )); | |
| 370 end | 369 end |
| 371 | 370 |
| 372 -- Used to issue/verify short-lived tokens for the authorization process below | 371 -- Used to issue/verify short-lived tokens for the authorization process below |
| 373 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 }); | 372 local new_user_token, verify_user_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 }); |
| 374 | 373 |
