prosody
055b03d3059b
plugins/mod_tokenauth.lua
Software / code / prosody
Comparison
plugins/mod_tokenauth.lua @ 12938:055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
RFC 6120 states that
> If the initiating entity does not wish to act on behalf of another
> entity, it MUST NOT provide an authorization identity.
Thus it seems weird to require it here. We can instead expect an
username from the token data passed back from the profile.
This follows the practice of util.sasl.external where the profile
callback returns the selected username, making the authentication module
responsible for extracting the username from the token.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 16 Mar 2023 12:18:23 +0100 |
| parent | 12919:7c0e5c7eff7c |
| child | 12952:a668bc1aa39d |
comparison
equal
deleted
inserted
replaced
| 12937:23b20ede9c34 | 12938:055b03d3059b |
|---|---|
| 123 end | 123 end |
| 124 return token_store:set(token_user, token_id, nil); | 124 return token_store:set(token_user, token_id, nil); |
| 125 end | 125 end |
| 126 | 126 |
| 127 function sasl_handler(auth_provider, purpose, extra) | 127 function sasl_handler(auth_provider, purpose, extra) |
| 128 return function (_, username, token, realm) | 128 return function (sasl, token, realm, _authzid) |
| 129 local token_info, err = get_token_info(token); | 129 local token_info, err = get_token_info(token); |
| 130 if not token_info then | 130 if not token_info then |
| 131 module:log("debug", "SASL handler failed to verify token: %s", err); | 131 module:log("debug", "SASL handler failed to verify token: %s", err); |
| 132 return nil, nil, extra; | 132 return nil, nil, extra; |
| 133 end | 133 end |
| 134 local token_user, token_host = jid.split(token_info.jid); | 134 local token_user, token_host, resource = jid.split(token_info.jid); |
| 135 if username ~= token_user or realm ~= token_host or (purpose and token_info.purpose ~= purpose) then | 135 if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then |
| 136 return nil, nil, extra; | 136 return nil, nil, extra; |
| 137 end | 137 end |
| 138 if auth_provider.is_enabled and not auth_provider.is_enabled(username) then | 138 if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then |
| 139 return true, false, token_info; | 139 return true, false, token_info; |
| 140 end | 140 end |
| 141 return true, true, token_info; | 141 sasl.resource = resource; |
| 142 sasl.token_info = token_info; | |
| 143 return token_user, true, token_info; | |
| 142 end; | 144 end; |
| 143 end | 145 end |
