annotate mod_auth_oauth_external/mod_auth_oauth_external.lua @ 6556:7477e97a9045

mod_firewall: Apply pre-reload state before re-reading config This change makes load/reload a bit more robust. module.load() runs before module.restore() and it reads from the config and updates the state (if needed). However, after this, module.restore() could run and apply the old state again.
author Matthew Wild <mwild1@gmail.com>
date Sun, 24 May 2026 20:03:20 +0100
parents 6241b2f5e92f
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local http = require "net.http";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local async = require "util.async";
5433
b40299bbdf14 mod_auth_oauth_external: Fix missing import of util.jid
Kim Alvefur <zash@zash.se>
parents: 5346
diff changeset
3 local jid = require "util.jid";
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local json = require "util.json";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local sasl = require "util.sasl";
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
6525
05d66fe6b289 mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents: 6406
diff changeset
7 -- Details about the OAuth2 Issuer
5346
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
8 local issuer_identity = module:get_option_string("oauth_external_issuer");
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
9 local oidc_discovery_url = module:get_option_string("oauth_external_discovery_url",
d9bc8712a745 mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents: 5345
diff changeset
10 issuer_identity and issuer_identity .. "/.well-known/oauth-authorization-server" or nil);
6525
05d66fe6b289 mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents: 6406
diff changeset
11
05d66fe6b289 mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents: 6406
diff changeset
12 -- OAuth2 endpoints
05d66fe6b289 mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents: 6406
diff changeset
13 -- These could be discovered dynamically if unset
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local validation_endpoint = module:get_option_string("oauth_external_validation_endpoint");
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
15 local token_endpoint = module:get_option_string("oauth_external_token_endpoint");
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16
6525
05d66fe6b289 mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents: 6406
diff changeset
17 -- Field used to decide the XMPP address localpart
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 local username_field = module:get_option_string("oauth_external_username_field", "preferred_username");
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19
6525
05d66fe6b289 mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents: 6406
diff changeset
20 -- Settings needed for Resource Owner Password Grant, where Prosody acts as an OAuth2 Client
05d66fe6b289 mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents: 6406
diff changeset
21 -- Since at this time, no clients support SASL OAUTHBEARER, this is the only way this works
05d66fe6b289 mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents: 6406
diff changeset
22 local allow_plain = module:get_option_boolean("oauth_external_resource_owner_password", true);
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
23 local client_id = module:get_option_string("oauth_external_client_id");
5435
b3e7886fea6a mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents: 5434
diff changeset
24 local client_secret = module:get_option_string("oauth_external_client_secret");
5436
e7d99bacd0e8 mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents: 5435
diff changeset
25 local scope = module:get_option_string("oauth_external_scope", "openid");
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 --[[ More or less required endpoints
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 digraph "oauth endpoints" {
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 issuer -> discovery -> { registration validation }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 registration -> { client_id client_secret }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 { client_id client_secret validation } -> required
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 }
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 --]]
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
6526
1216f6befbe7 mod_auth_oauth_external: Raise error when configured without at least one endpoint
Kim Alvefur <zash@zash.se>
parents: 6525
diff changeset
35 assert(validation_endpoint or token_endpoint,
1216f6befbe7 mod_auth_oauth_external: Raise error when configured without at least one endpoint
Kim Alvefur <zash@zash.se>
parents: 6525
diff changeset
36 "One or both of 'oauth_external_validation_endpoint' and 'oauth_external_token_endpoint' must be configured");
1216f6befbe7 mod_auth_oauth_external: Raise error when configured without at least one endpoint
Kim Alvefur <zash@zash.se>
parents: 6525
diff changeset
37
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
38 local accounts = module:open_store("accounts");
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
39
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 local provider = {};
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
42 -- TODO remove, not needed after https://hg.prosody.im/trunk/rev/01f95f3de6fc
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
43 local function not_implemented()
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
44 return nil, "method not implemented"
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
45 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
46
5730
6592c444e85c mod_auth_oauth_external: Fix typo
Kim Alvefur <zash@zash.se>
parents: 5701
diff changeset
47 -- With proper OAuth 2, most of these should be handled at the authorization
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
48 -- server, no there.
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
49 provider.test_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
50 provider.get_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
51 provider.set_password = not_implemented;
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
52 provider.create_user = not_implemented;
6365
42866d42e267 mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents: 6364
diff changeset
53
42866d42e267 mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents: 6364
diff changeset
54 function provider.delete_user(username)
42866d42e267 mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents: 6364
diff changeset
55 return accounts:set(username, nil);
42866d42e267 mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents: 6364
diff changeset
56 end
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
57
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
58 function provider.get_account_info(username)
6406
cab284eaeb81 mod_auth_oauth_external: Pass on storage error from account info
Kim Alvefur <zash@zash.se>
parents: 6365
diff changeset
59 local account, err = accounts:get(username);
cab284eaeb81 mod_auth_oauth_external: Pass on storage error from account info
Kim Alvefur <zash@zash.se>
parents: 6365
diff changeset
60 if not account then return nil, err or "Account not available"; end
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
61 return {
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
62 created = account.created;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
63 password_updated = account.updated;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
64 enabled = not account.disabled;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
65 };
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
66 end
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
67
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
68 function provider.user_exists(username)
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
69 local account, err = accounts:get(username);
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
70 if err then
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
71 return nil, err;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
72 elseif account then
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
73 return true;
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
74 else
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
75 return false
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
76 end
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
77 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
78
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
79 function provider.users()
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
80 return accounts:users();
5442
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
81 end
7480dde4cd2e mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents: 5440
diff changeset
82
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83 function provider.get_sasl_handler()
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 local profile = {};
5949
97a9f939d472 mod_auth_oauth_external: Inherit default HTTP client settings (thanks nils)
Kim Alvefur <zash@zash.se>
parents: 5730
diff changeset
85 profile.http_client = http.default:new({ connection_pooling = true }); -- TODO configurable
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86 local extra = { oidc_discovery_url = oidc_discovery_url };
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
87 if token_endpoint and allow_plain then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
88 local map_username = function (username, _realm) return username; end; --jid.join; -- TODO configurable
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
89 function profile:plain_test(username, password, realm)
5437
49306afbf722 mod_auth_oauth_external: Expect XEP-0106 escaped username in PLAIN
Kim Alvefur <zash@zash.se>
parents: 5436
diff changeset
90 username = jid.unescape(username); -- COMPAT Mastodon
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
91 local tok, err = async.wait_for(self.profile.http_client:request(token_endpoint, {
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
92 headers = { ["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"; ["Accept"] = "application/json" };
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
93 body = http.formencode({
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
94 grant_type = "password";
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
95 client_id = client_id;
5435
b3e7886fea6a mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents: 5434
diff changeset
96 client_secret = client_secret;
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
97 username = map_username(username, realm);
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
98 password = password;
5436
e7d99bacd0e8 mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents: 5435
diff changeset
99 scope = scope;
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
100 });
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
101 }))
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
102 if err or not (tok.code >= 200 and tok.code < 300) then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
103 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
104 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
105 local token_resp = json.decode(tok.body);
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
106 if not token_resp or string.lower(token_resp.token_type or "") ~= "bearer" then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
107 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
108 end
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
109 if not validation_endpoint then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
110 -- We're not going to get more info, only the username
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
111 self.username = jid.escape(username);
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
112 self.token_info = token_resp;
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
113 accounts:set(self.username, { exists = true });
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
114 return true, true;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
115 end
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
116 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint,
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
117 { headers = { ["Authorization"] = "Bearer " .. token_resp.access_token; ["Accept"] = "application/json" } }));
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
118 if err then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
119 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
120 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
121 if not (ret.code >= 200 and ret.code < 300) then
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
122 return false, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
123 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
124 local response = json.decode(ret.body);
6528
6241b2f5e92f mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents: 6526
diff changeset
125 if type(response) ~= "table" or type(response[username_field]) ~= "string" then
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
126 return false, nil, nil;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
127 end
6528
6241b2f5e92f mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents: 6526
diff changeset
128 self.token_info = response;
5440
82a14082be3f mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents: 5439
diff changeset
129 self.username = jid.escape(response[username_field]);
6364
9c110fbecd86 mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents: 5949
diff changeset
130 accounts:set(self.username, { exists = true });
5345
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
131 return true, true;
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
132 end
3390bb2f9f6c mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents: 5344
diff changeset
133 end
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
134 if validation_endpoint then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
135 function profile:oauthbearer(token)
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
136 if token == "" then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
137 return false, nil, extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
138 end
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
139
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
140 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, {
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
141 headers = { ["Authorization"] = "Bearer " .. token; ["Accept"] = "application/json" };
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
142 }));
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
143 if err then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
144 return false, nil, extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
145 end
6528
6241b2f5e92f mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents: 6526
diff changeset
146 -- response decoded earlier since it can include an error struct that should be returned to client
6241b2f5e92f mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents: 6526
diff changeset
147 local response = json.decode(ret.body);
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
148 if not (ret.code >= 200 and ret.code < 300) then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
149 return false, nil, response or extra;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
150 end
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
151 if type(response) ~= "table" or type(response[username_field]) ~= "string" then
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
152 return false, nil, nil;
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
153 end
6528
6241b2f5e92f mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents: 6526
diff changeset
154 self.token_info = response;
5434
92ad8f03f225 mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents: 5433
diff changeset
155
5443
4e79f344ae2f mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents: 5442
diff changeset
156 return jid.escape(response[username_field]), true, response;
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
157 end
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
158 end
6528
6241b2f5e92f mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents: 6526
diff changeset
159 return sasl.new(module.host, profile);
5344
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
160 end
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
161
0a6d2b79a8bf mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff changeset
162 module:provides("auth", provider);