Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5255:001c8fdc91a4

mod_http_oauth2: Add support for the "openid" scope This "openid" scope is there to signal access to the userinfo endpoint, which is needed for OIDC support. We don't actually check this later because the userinfo endpoint only returns info embedded in the token itself, but in the future we may want to check this more carefully.
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 17:06:35 +0100
parent 5254:b0ccdd12a70d
child 5256:44f7edd4f845
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 16 17:03:48 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 16 17:06:35 2023 +0100
@@ -88,6 +88,9 @@
 	if requested_scope_string then -- Specific role(s) requested
 		local requested_scopes = parse_scopes(requested_scope_string);
 		for _, scope in ipairs(requested_scopes) do
+			if scope == "openid" then
+				granted_scopes:push(scope);
+			end
 			if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then
 				selected_role = scope;
 			end
@@ -772,8 +775,8 @@
 				jwks_uri = nil; -- TODO?
 				userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil;
 				registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
-				scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host)))
-					or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" };
+				scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):push("openid")
+					or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator"; "openid" };
 				response_types_supported = array(it.keys(response_type_handlers));
 				authorization_response_iss_parameter_supported = true;
 			};