Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5450:d2594bbf7c36

mod_http_oauth2: Scope FIXMEs
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 21:43:23 +0200
parent 5449:9c19a6b8e542
child 5451:6705f2a09702
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 11 21:41:37 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu May 11 21:43:23 2023 +0200
@@ -368,6 +368,7 @@
 	if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
 	if not params.code then return oauth_error("invalid_request", "missing 'code'"); end
 	if params.scope and params.scope ~= "" then
+		-- FIXME allow a subset of granted scopes
 		return oauth_error("invalid_scope", "unknown scope requested");
 	end
 
@@ -544,6 +545,7 @@
 		local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
 		local request_username, request_host, request_resource = jid.prepped_split(request_jid);
 		if params.scope then
+			-- TODO shouldn't we support scopes / roles here?
 			return oauth_error("invalid_scope", "unknown scope requested");
 		end
 		if not request_host or request_host ~= module.host then