Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5248:b8b2bf0c1b4b
mod_http_oauth2: Record details of OAuth client a token is issued to
To enable use cases such as revoking all tokens issued to a particular
OAuth client in case of security issues, or for informative purposes
such as when listing tokens for users.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 14 Mar 2023 18:08:25 +0100 |
parent | 5247:dc27b997e969 |
child | 5252:85f0c6c1c24f |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Mar 12 17:56:23 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 14 18:08:25 2023 +0100 @@ -133,8 +133,19 @@ }); end -local function new_access_token(token_jid, scope, ttl) - local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, nil, "oauth2"); +-- client_id / client_metadata are pretty large, filter out a subset of +-- properties that are deemed useful e.g. in case tokens issued to a certain +-- client needs to be revoked +local function client_subset(client) + return { name = client.client_name; uri = client.client_uri }; +end + +local function new_access_token(token_jid, scope, ttl, client) + local token_data; + if client then + token_data = { oauth2_client = client_subset(client) }; + end + local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, token_data, "oauth2"); return { token_type = "bearer"; access_token = token; @@ -235,7 +246,7 @@ function response_type_handlers.token(client, params, granted_jid) local request_username, request_host = jid.split(granted_jid); local granted_scopes = filter_scopes(request_username, request_host, params.scope); - local token_info = new_access_token(granted_jid, granted_scopes, nil); + local token_info = new_access_token(granted_jid, granted_scopes, nil, client); local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); token_info.state = params.state; @@ -284,7 +295,7 @@ return oauth_error("invalid_client", "incorrect credentials"); end - return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil)); + return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil, client)); end -- Used to issue/verify short-lived tokens for the authorization process below