util.sasl.oauthbearer: Return username from callback instead using authzid (BC) RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.

author: Kim Alvefur <zash@zash.se>
date: Thu, 16 Mar 2023 12:18:23 +0100
parent: 12919:7c0e5c7eff7c
child: 12952:a668bc1aa39d
--- a/plugins/mod_tokenauth.lua	Wed Mar 15 12:02:23 2023 +0000
+++ b/plugins/mod_tokenauth.lua	Thu Mar 16 12:18:23 2023 +0100
@@ -125,19 +125,21 @@
 end
 
 function sasl_handler(auth_provider, purpose, extra)
-	return function (_, username, token, realm)
+	return function (sasl, token, realm, _authzid)
 		local token_info, err = get_token_info(token);
 		if not token_info then
 			module:log("debug", "SASL handler failed to verify token: %s", err);
 			return nil, nil, extra;
 		end
-		local token_user, token_host = jid.split(token_info.jid);
-		if username ~= token_user or realm ~= token_host or (purpose and token_info.purpose ~= purpose) then
+		local token_user, token_host, resource = jid.split(token_info.jid);
+		if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then
 			return nil, nil, extra;
 		end
-		if auth_provider.is_enabled and not auth_provider.is_enabled(username) then
+		if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then
 			return true, false, token_info;
 		end
-		return true, true, token_info;
+		sasl.resource = resource;
+		sasl.token_info = token_info;
+		return token_user, true, token_info;
 	end;
 end