Diff

--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Aug 16 13:10:39 2022 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Aug 22 15:39:02 2022 +0100
@@ -14,13 +14,20 @@
 
 local clients = module:open_store("oauth2_clients", "map");
 
-local function filter_scopes(request_jid, requested_scope_string) --luacheck: ignore 212/requested_scope_string
-	-- We currently don't really support scopes, so override
-	-- to whatever real permissions the user has
-	if usermanager.is_admin(request_jid, module.host) then
-		return "prosody:scope:admin";
+local function filter_scopes(username, host, requested_scope_string)
+	if host ~= module.host then
+		return usermanager.get_jid_role(username.."@"..host, module.host).name;
 	end
-	return "prosody:scope:default";
+
+	if requested_scope_string then -- Specific role requested
+		-- TODO: The requested scope string is technically a space-delimited list
+		-- of scopes, but for simplicity we're mapping this slot to role names.
+		if usermanager.user_can_assume_role(username, module.host, requested_scope_string) then
+			return requested_scope_string;
+		end
+	end
+
+	return usermanager.get_user_role(username, module.host).name;
 end
 
 local function code_expires_in(code)
@@ -81,7 +88,7 @@
 	end
 
 	local granted_jid = jid.join(request_username, request_host, request_resource);
-	local granted_scopes = filter_scopes(granted_jid, params.scope);
+	local granted_scopes = filter_scopes(request_username, request_host, params.scope);
 	return json.encode(new_access_token(granted_jid, granted_scopes, nil));
 end
 
@@ -99,7 +106,7 @@
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
 
-	local granted_scopes = filter_scopes(granted_jid, params.scope);
+	local granted_scopes = filter_scopes(client_owner, client_host, params.scope);
 
 	local code = uuid.generate();
 	local ok = codes:set(params.client_id .. "#" .. code, {