Software / code / prosody
Annotate
util/sasl/oauthbearer.lua @ 12938:055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
RFC 6120 states that
> If the initiating entity does not wish to act on behalf of another
> entity, it MUST NOT provide an authorization identity.
Thus it seems weird to require it here. We can instead expect an
username from the token data passed back from the profile.
This follows the practice of util.sasl.external where the profile
callback returns the selected username, making the authentication module
responsible for extracting the username from the token.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 16 Mar 2023 12:18:23 +0100 |
| parent | 12937:23b20ede9c34 |
| child | 12940:2aebd9bf02fc |
| rev | line source |
|---|---|
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local json = require "util.json"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local _ENV = nil; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local function oauthbearer(self, message) |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 if not message then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 return "failure", "malformed-request"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 if message == "\001" then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 return "failure", "not-authorized"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local gs2_authzid, kvpairs = message:match("n,a=([^,]+),(.+)$"); |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 if not gs2_authzid then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 return "failure", "malformed-request"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 local auth_header; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 if k == "auth" then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 auth_header = v; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 break; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 if not auth_header then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 return "failure", "malformed-request"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 local token = auth_header:match("^Bearer (.+)$"); |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
33 local username, state, token_info = self.profile.oauthbearer(self, token, self.realm, gs2_authzid); |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 if state == false then |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 return "failure", "account-disabled"; |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
37 elseif state == nil or not username then |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 -- For token-level errors, RFC 7628 demands use of a JSON-encoded |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 -- challenge response upon failure. We relay additional info from |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 -- the auth backend if available. |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 return "challenge", json.encode({ |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 status = token_info and token_info.status or "invalid_token"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 scope = token_info and token_info.scope or nil; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 ["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 }); |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 end |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12937
diff
changeset
|
47 self.username = username; |
|
12937
23b20ede9c34
util.sasl.oauthbearer: Fix syntax error in b796e08e6376
Matthew Wild <mwild1@gmail.com>
parents:
12936
diff
changeset
|
48 self.token_info = token_info; |
|
12936
b796e08e6376
util.sasl.oauthbearer: Attach token_info to sasl handler
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
49 |
|
12911
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 return "success"; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 local function init(registerMechanism) |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer); |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 end |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 return { |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 init = init; |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 } |
