annotate mod_auth_oauth_external/mod_auth_oauth_external.lua @ 6513:5fb466693e85

mod_storage_xmlarchive: Ensure list index files are removed using os.remove() on the list files leaves the new index files behind since util.datamanager does not know they are removed. Thanks Link Mauve
author Kim Alvefur <zash@zash.se>
date Tue, 07 Apr 2026 21:10:54 +0200
parents cab284eaeb81
children 05d66fe6b289
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local http = require "net.http";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local async = require "util.async";
5433
b40299bbdf14 mod_auth_oauth_external: Fix missing import of util.jid
Kim Alvefur <zash@zash.se>
parents: 5346
diff changeset
3 local jid = require "util.jid";
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local json = require "util.json";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local sasl = require "util.sasl";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
5346
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
7 local issuer_identity = module:get_option_string("oauth_external_issuer");
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
8 local oidc_discovery_url = module:get_option_string("oauth_external_discovery_url",
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
9 issuer_identity and issuer_identity .. "/.well-known/oauth-authorization-server" or nil);
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local validation_endpoint = module:get_option_string("oauth_external_validation_endpoint");
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
11 local token_endpoint = module:get_option_string("oauth_external_token_endpoint");
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local username_field = module:get_option_string("oauth_external_username_field", "preferred_username");
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
14 local allow_plain = module:get_option_boolean("oauth_external_resource_owner_password", true);
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 -- XXX Hold up, does whatever done here even need any of these things? Are we
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 -- the OAuth client? Is the XMPP client the OAuth client? What are we???
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
18 local client_id = module:get_option_string("oauth_external_client_id");
5435
b3e7886fea6a mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents: 5434
diff changeset
19 local client_secret = module:get_option_string("oauth_external_client_secret");
5436
e7d99bacd0e8 mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents: 5435
diff changeset
20 local scope = module:get_option_string("oauth_external_scope", "openid");
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 --[[ More or less required endpoints
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 digraph "oauth endpoints" {
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 issuer -> discovery -> { registration validation }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 registration -> { client_id client_secret }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 { client_id client_secret validation } -> required
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 --]]
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
30 local accounts = module:open_store("accounts");
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
31
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 local host = module.host;
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 local provider = {};
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
35 -- TODO remove, not needed after https://hg.prosody.im/trunk/rev/01f95f3de6fc
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
36 local function not_implemented()
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
37 return nil, "method not implemented"
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
38 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
39
5730
6592c444e85c mod_auth_oauth_external: Fix typo
Kim Alvefur <zash@zash.se>
parents: 5701
diff changeset
40 -- With proper OAuth 2, most of these should be handled at the authorization
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
41 -- server, no there.
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
42 provider.test_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
43 provider.get_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
44 provider.set_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
45 provider.create_user = not_implemented;
6365
42866d42e267 mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents: 6364
diff changeset
46
42866d42e267 mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents: 6364
diff changeset
47 function provider.delete_user(username)
42866d42e267 mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents: 6364
diff changeset
48 return accounts:set(username, nil);
42866d42e267 mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents: 6364
diff changeset
49 end
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
50
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
51 function provider.get_account_info(username)
6406
cab284eaeb81 mod_auth_oauth_external: Pass on storage error from account info
Kim Alvefur <zash@zash.se>
parents: 6365
diff changeset
52 local account, err = accounts:get(username);
cab284eaeb81 mod_auth_oauth_external: Pass on storage error from account info
Kim Alvefur <zash@zash.se>
parents: 6365
diff changeset
53 if not account then return nil, err or "Account not available"; end
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
54 return {
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
55 created = account.created;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
56 password_updated = account.updated;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
57 enabled = not account.disabled;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
58 };
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
59 end
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
60
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
61 function provider.user_exists(username)
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
62 local account, err = accounts:get(username);
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
63 if err then
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
64 return nil, err;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
65 elseif account then
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
66 return true;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
67 else
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
68 return false
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
69 end
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
70 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
71
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
72 function provider.users()
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
73 return accounts:users();
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
74 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
75
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 function provider.get_sasl_handler()
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77 local profile = {};
5949
97a9f939d472 mod_auth_oauth_external: Inherit default HTTP client settings (thanks nils)
Kim Alvefur <zash@zash.se>
parents: 5730
diff changeset
78 profile.http_client = http.default:new({ connection_pooling = true }); -- TODO configurable
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79 local extra = { oidc_discovery_url = oidc_discovery_url };
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
80 if token_endpoint and allow_plain then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
81 local map_username = function (username, _realm) return username; end; --jid.join; -- TODO configurable
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
82 function profile:plain_test(username, password, realm)
5437
49306afbf722 mod_auth_oauth_external: Expect XEP-0106 escaped username in PLAIN
Kim Alvefur <zash@zash.se>
parents: 5436
diff changeset
83 username = jid.unescape(username); -- COMPAT Mastodon
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
84 local tok, err = async.wait_for(self.profile.http_client:request(token_endpoint, {
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
85 headers = { ["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"; ["Accept"] = "application/json" };
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
86 body = http.formencode({
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
87 grant_type = "password";
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
88 client_id = client_id;
5435
b3e7886fea6a mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents: 5434
diff changeset
89 client_secret = client_secret;
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
90 username = map_username(username, realm);
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
91 password = password;
5436
e7d99bacd0e8 mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents: 5435
diff changeset
92 scope = scope;
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
93 });
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
94 }))
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
95 if err or not (tok.code >= 200 and tok.code < 300) then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
96 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
97 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
98 local token_resp = json.decode(tok.body);
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
99 if not token_resp or string.lower(token_resp.token_type or "") ~= "bearer" then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
100 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
101 end
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
102 if not validation_endpoint then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
103 -- We're not going to get more info, only the username
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
104 self.username = jid.escape(username);
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
105 self.token_info = token_resp;
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
106 accounts:set(self.username, { exists = true });
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
107 return true, true;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
108 end
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
109 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint,
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
110 { headers = { ["Authorization"] = "Bearer " .. token_resp.access_token; ["Accept"] = "application/json" } }));
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
111 if err then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
112 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
113 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
114 if not (ret.code >= 200 and ret.code < 300) then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
115 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
116 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
117 local response = json.decode(ret.body);
5440
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
118 if type(response) ~= "table" then
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
119 return false, nil, nil;
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
120 elseif type(response[username_field]) ~= "string" then
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
121 return false, nil, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
122 end
5440
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
123 self.username = jid.escape(response[username_field]);
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
124 self.token_info = response;
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
125 accounts:set(self.username, { exists = true });
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
126 return true, true;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
127 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
128 end
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
129 if validation_endpoint then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
130 function profile:oauthbearer(token)
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
131 if token == "" then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
132 return false, nil, extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
133 end
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
134
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
135 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, {
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
136 headers = { ["Authorization"] = "Bearer " .. token; ["Accept"] = "application/json" };
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
137 }));
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
138 if err then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
139 return false, nil, extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
140 end
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
141 local response = ret and json.decode(ret.body);
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
142 if not (ret.code >= 200 and ret.code < 300) then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
143 return false, nil, response or extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
144 end
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
145 if type(response) ~= "table" or type(response[username_field]) ~= "string" then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
146 return false, nil, nil;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
147 end
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
148
5443
4e79f344ae2f mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents: 5442
diff changeset
149 return jid.escape(response[username_field]), true, response;
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
150 end
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
151 end
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
152 return sasl.new(host, profile);
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
153 end
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
154
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
155 module:provides("auth", provider);