Changeset

5248:b8b2bf0c1b4b

mod_http_oauth2: Record details of OAuth client a token is issued to To enable use cases such as revoking all tokens issued to a particular OAuth client in case of security issues, or for informative purposes such as when listing tokens for users.
author Kim Alvefur <zash@zash.se>
date Tue, 14 Mar 2023 18:08:25 +0100
parents 5247:dc27b997e969
children 5249:828e5e443613
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 15 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Mar 12 17:56:23 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 14 18:08:25 2023 +0100
@@ -133,8 +133,19 @@
 	});
 end
 
-local function new_access_token(token_jid, scope, ttl)
-	local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, nil, "oauth2");
+-- client_id / client_metadata are pretty large, filter out a subset of
+-- properties that are deemed useful e.g. in case tokens issued to a certain
+-- client needs to be revoked
+local function client_subset(client)
+	return { name = client.client_name; uri = client.client_uri };
+end
+
+local function new_access_token(token_jid, scope, ttl, client)
+	local token_data;
+	if client then
+		token_data = { oauth2_client = client_subset(client) };
+	end
+	local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl, token_data, "oauth2");
 	return {
 		token_type = "bearer";
 		access_token = token;
@@ -235,7 +246,7 @@
 function response_type_handlers.token(client, params, granted_jid)
 	local request_username, request_host = jid.split(granted_jid);
 	local granted_scopes = filter_scopes(request_username, request_host, params.scope);
-	local token_info = new_access_token(granted_jid, granted_scopes, nil);
+	local token_info = new_access_token(granted_jid, granted_scopes, nil, client);
 
 	local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
 	token_info.state = params.state;
@@ -284,7 +295,7 @@
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
 
-	return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil));
+	return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil, client));
 end
 
 -- Used to issue/verify short-lived tokens for the authorization process below