prosody
bb6a98a7b0b4
util/sasl/oauthbearer.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

util/sasl/oauthbearer.lua @ 12939:bb6a98a7b0b4

doap: Sort by XEP number To keep them sorted. Not pedantic at all!
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 13:20:19 +0100
parent 12938:055b03d3059b
child 12940:2aebd9bf02fc
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
12911
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local json = require "util.json";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 local _ENV = nil;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 local function oauthbearer(self, message)
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 if not message then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 return "failure", "malformed-request";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 if message == "\001" then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 return "failure", "not-authorized";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 local gs2_authzid, kvpairs = message:match("n,a=([^,]+),(.+)$");
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 if not gs2_authzid then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 return "failure", "malformed-request";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 local auth_header;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 if k == "auth" then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 auth_header = v;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 break;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 if not auth_header then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 return "failure", "malformed-request";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 local token = auth_header:match("^Bearer (.+)$");
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32
12938
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12937
diff changeset
33 local username, state, token_info = self.profile.oauthbearer(self, token, self.realm, gs2_authzid);
12911
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 if state == false then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 return "failure", "account-disabled";
12938
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12937
diff changeset
37 elseif state == nil or not username then
12911
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 -- For token-level errors, RFC 7628 demands use of a JSON-encoded
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 -- challenge response upon failure. We relay additional info from
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 -- the auth backend if available.
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 return "challenge", json.encode({
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 status = token_info and token_info.status or "invalid_token";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 scope = token_info and token_info.scope or nil;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44 ["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 });
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 end
12938
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12937
diff changeset
47 self.username = username;
12937
23b20ede9c34 util.sasl.oauthbearer: Fix syntax error in b796e08e6376
Matthew Wild <mwild1@gmail.com>
parents: 12936
diff changeset
48 self.token_info = token_info;
12936
b796e08e6376 util.sasl.oauthbearer: Attach token_info to sasl handler
Matthew Wild <mwild1@gmail.com>
parents: 12918
diff changeset
49
12911
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 return "success";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 local function init(registerMechanism)
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 return {
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58 init = init;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 }