Mercurial > prosody-modules
annotate mod_auth_oauth_external/mod_auth_oauth_external.lua @ 6556:7477e97a9045
mod_firewall: Apply pre-reload state before re-reading config
This change makes load/reload a bit more robust. module.load() runs before
module.restore() and it reads from the config and updates the state (if
needed).
However, after this, module.restore() could run and apply the old state again.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Sun, 24 May 2026 20:03:20 +0100 |
| parents | 6241b2f5e92f |
| children |
| rev | line source |
|---|---|
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 local http = require "net.http"; |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 local async = require "util.async"; |
|
5433
b40299bbdf14
mod_auth_oauth_external: Fix missing import of util.jid
Kim Alvefur <zash@zash.se>
parents:
5346
diff
changeset
|
3 local jid = require "util.jid"; |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local json = require "util.json"; |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local sasl = require "util.sasl"; |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
|
6525
05d66fe6b289
mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents:
6406
diff
changeset
|
7 -- Details about the OAuth2 Issuer |
|
5346
d9bc8712a745
mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents:
5345
diff
changeset
|
8 local issuer_identity = module:get_option_string("oauth_external_issuer"); |
|
d9bc8712a745
mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents:
5345
diff
changeset
|
9 local oidc_discovery_url = module:get_option_string("oauth_external_discovery_url", |
|
d9bc8712a745
mod_auth_oauth_external: Allow setting identity instead of discovery URL
Kim Alvefur <zash@zash.se>
parents:
5345
diff
changeset
|
10 issuer_identity and issuer_identity .. "/.well-known/oauth-authorization-server" or nil); |
|
6525
05d66fe6b289
mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents:
6406
diff
changeset
|
11 |
|
05d66fe6b289
mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents:
6406
diff
changeset
|
12 -- OAuth2 endpoints |
|
05d66fe6b289
mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents:
6406
diff
changeset
|
13 -- These could be discovered dynamically if unset |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local validation_endpoint = module:get_option_string("oauth_external_validation_endpoint"); |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
15 local token_endpoint = module:get_option_string("oauth_external_token_endpoint"); |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 |
|
6525
05d66fe6b289
mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents:
6406
diff
changeset
|
17 -- Field used to decide the XMPP address localpart |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 local username_field = module:get_option_string("oauth_external_username_field", "preferred_username"); |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
|
6525
05d66fe6b289
mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents:
6406
diff
changeset
|
20 -- Settings needed for Resource Owner Password Grant, where Prosody acts as an OAuth2 Client |
|
05d66fe6b289
mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents:
6406
diff
changeset
|
21 -- Since at this time, no clients support SASL OAUTHBEARER, this is the only way this works |
|
05d66fe6b289
mod_auth_oauth_external: Reorder and comment on settings
Kim Alvefur <zash@zash.se>
parents:
6406
diff
changeset
|
22 local allow_plain = module:get_option_boolean("oauth_external_resource_owner_password", true); |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
23 local client_id = module:get_option_string("oauth_external_client_id"); |
|
5435
b3e7886fea6a
mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents:
5434
diff
changeset
|
24 local client_secret = module:get_option_string("oauth_external_client_secret"); |
|
5436
e7d99bacd0e8
mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents:
5435
diff
changeset
|
25 local scope = module:get_option_string("oauth_external_scope", "openid"); |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 --[[ More or less required endpoints |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 digraph "oauth endpoints" { |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 issuer -> discovery -> { registration validation } |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 registration -> { client_id client_secret } |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 { client_id client_secret validation } -> required |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 } |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 --]] |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
|
6526
1216f6befbe7
mod_auth_oauth_external: Raise error when configured without at least one endpoint
Kim Alvefur <zash@zash.se>
parents:
6525
diff
changeset
|
35 assert(validation_endpoint or token_endpoint, |
|
1216f6befbe7
mod_auth_oauth_external: Raise error when configured without at least one endpoint
Kim Alvefur <zash@zash.se>
parents:
6525
diff
changeset
|
36 "One or both of 'oauth_external_validation_endpoint' and 'oauth_external_token_endpoint' must be configured"); |
|
1216f6befbe7
mod_auth_oauth_external: Raise error when configured without at least one endpoint
Kim Alvefur <zash@zash.se>
parents:
6525
diff
changeset
|
37 |
|
6364
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
38 local accounts = module:open_store("accounts"); |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
39 |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 local provider = {}; |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
|
6364
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
42 -- TODO remove, not needed after https://hg.prosody.im/trunk/rev/01f95f3de6fc |
|
5442
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
43 local function not_implemented() |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
44 return nil, "method not implemented" |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
45 end |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
46 |
|
5730
6592c444e85c
mod_auth_oauth_external: Fix typo
Kim Alvefur <zash@zash.se>
parents:
5701
diff
changeset
|
47 -- With proper OAuth 2, most of these should be handled at the authorization |
|
5442
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
48 -- server, no there. |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
49 provider.test_password = not_implemented; |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
50 provider.get_password = not_implemented; |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
51 provider.set_password = not_implemented; |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
52 provider.create_user = not_implemented; |
|
6365
42866d42e267
mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents:
6364
diff
changeset
|
53 |
|
42866d42e267
mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents:
6364
diff
changeset
|
54 function provider.delete_user(username) |
|
42866d42e267
mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents:
6364
diff
changeset
|
55 return accounts:set(username, nil); |
|
42866d42e267
mod_auth_oauth_external: Implement user deletion
Kim Alvefur <zash@zash.se>
parents:
6364
diff
changeset
|
56 end |
|
5442
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
57 |
|
6364
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
58 function provider.get_account_info(username) |
|
6406
cab284eaeb81
mod_auth_oauth_external: Pass on storage error from account info
Kim Alvefur <zash@zash.se>
parents:
6365
diff
changeset
|
59 local account, err = accounts:get(username); |
|
cab284eaeb81
mod_auth_oauth_external: Pass on storage error from account info
Kim Alvefur <zash@zash.se>
parents:
6365
diff
changeset
|
60 if not account then return nil, err or "Account not available"; end |
|
6364
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
61 return { |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
62 created = account.created; |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
63 password_updated = account.updated; |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
64 enabled = not account.disabled; |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
65 }; |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
66 end |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
67 |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
68 function provider.user_exists(username) |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
69 local account, err = accounts:get(username); |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
70 if err then |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
71 return nil, err; |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
72 elseif account then |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
73 return true; |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
74 else |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
75 return false |
|
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
76 end |
|
5442
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
77 end |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
78 |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
79 function provider.users() |
|
6364
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
80 return accounts:users(); |
|
5442
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
81 end |
|
7480dde4cd2e
mod_auth_oauth_external: Stub not implemented auth module methods
Kim Alvefur <zash@zash.se>
parents:
5440
diff
changeset
|
82 |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 function provider.get_sasl_handler() |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
84 local profile = {}; |
|
5949
97a9f939d472
mod_auth_oauth_external: Inherit default HTTP client settings (thanks nils)
Kim Alvefur <zash@zash.se>
parents:
5730
diff
changeset
|
85 profile.http_client = http.default:new({ connection_pooling = true }); -- TODO configurable |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
86 local extra = { oidc_discovery_url = oidc_discovery_url }; |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
87 if token_endpoint and allow_plain then |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
88 local map_username = function (username, _realm) return username; end; --jid.join; -- TODO configurable |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
89 function profile:plain_test(username, password, realm) |
|
5437
49306afbf722
mod_auth_oauth_external: Expect XEP-0106 escaped username in PLAIN
Kim Alvefur <zash@zash.se>
parents:
5436
diff
changeset
|
90 username = jid.unescape(username); -- COMPAT Mastodon |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
91 local tok, err = async.wait_for(self.profile.http_client:request(token_endpoint, { |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
92 headers = { ["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"; ["Accept"] = "application/json" }; |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
93 body = http.formencode({ |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
94 grant_type = "password"; |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
95 client_id = client_id; |
|
5435
b3e7886fea6a
mod_auth_oauth_external: Add setting for client_secret
Kim Alvefur <zash@zash.se>
parents:
5434
diff
changeset
|
96 client_secret = client_secret; |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
97 username = map_username(username, realm); |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
98 password = password; |
|
5436
e7d99bacd0e8
mod_auth_oauth_external: Make 'scope' configurable in password grant request
Kim Alvefur <zash@zash.se>
parents:
5435
diff
changeset
|
99 scope = scope; |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
100 }); |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
101 })) |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
102 if err or not (tok.code >= 200 and tok.code < 300) then |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
103 return false, nil; |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
104 end |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
105 local token_resp = json.decode(tok.body); |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
106 if not token_resp or string.lower(token_resp.token_type or "") ~= "bearer" then |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
107 return false, nil; |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
108 end |
|
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
109 if not validation_endpoint then |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
110 -- We're not going to get more info, only the username |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
111 self.username = jid.escape(username); |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
112 self.token_info = token_resp; |
|
6364
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
113 accounts:set(self.username, { exists = true }); |
|
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
114 return true, true; |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
115 end |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
116 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
117 { headers = { ["Authorization"] = "Bearer " .. token_resp.access_token; ["Accept"] = "application/json" } })); |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
118 if err then |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
119 return false, nil; |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
120 end |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
121 if not (ret.code >= 200 and ret.code < 300) then |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
122 return false, nil; |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
123 end |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
124 local response = json.decode(ret.body); |
|
6528
6241b2f5e92f
mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents:
6526
diff
changeset
|
125 if type(response) ~= "table" or type(response[username_field]) ~= "string" then |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
126 return false, nil, nil; |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
127 end |
|
6528
6241b2f5e92f
mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents:
6526
diff
changeset
|
128 self.token_info = response; |
|
5440
82a14082be3f
mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Kim Alvefur <zash@zash.se>
parents:
5439
diff
changeset
|
129 self.username = jid.escape(response[username_field]); |
|
6364
9c110fbecd86
mod_auth_oauth_external: Record existence of users
Kim Alvefur <zash@zash.se>
parents:
5949
diff
changeset
|
130 accounts:set(self.username, { exists = true }); |
|
5345
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
131 return true, true; |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
132 end |
|
3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Kim Alvefur <zash@zash.se>
parents:
5344
diff
changeset
|
133 end |
|
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
134 if validation_endpoint then |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
135 function profile:oauthbearer(token) |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
136 if token == "" then |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
137 return false, nil, extra; |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
138 end |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
139 |
|
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
140 local ret, err = async.wait_for(self.profile.http_client:request(validation_endpoint, { |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
141 headers = { ["Authorization"] = "Bearer " .. token; ["Accept"] = "application/json" }; |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
142 })); |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
143 if err then |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
144 return false, nil, extra; |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
145 end |
|
6528
6241b2f5e92f
mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents:
6526
diff
changeset
|
146 -- response decoded earlier since it can include an error struct that should be returned to client |
|
6241b2f5e92f
mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents:
6526
diff
changeset
|
147 local response = json.decode(ret.body); |
|
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
148 if not (ret.code >= 200 and ret.code < 300) then |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
149 return false, nil, response or extra; |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
150 end |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
151 if type(response) ~= "table" or type(response[username_field]) ~= "string" then |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
152 return false, nil, nil; |
|
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
153 end |
|
6528
6241b2f5e92f
mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents:
6526
diff
changeset
|
154 self.token_info = response; |
|
5434
92ad8f03f225
mod_auth_oauth_external: Work without token validation endpoint
Kim Alvefur <zash@zash.se>
parents:
5433
diff
changeset
|
155 |
|
5443
4e79f344ae2f
mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
5442
diff
changeset
|
156 return jid.escape(response[username_field]), true, response; |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
157 end |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
158 end |
|
6528
6241b2f5e92f
mod_auth_oauth_external: Minor code cleanup
Kim Alvefur <zash@zash.se>
parents:
6526
diff
changeset
|
159 return sasl.new(module.host, profile); |
|
5344
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
160 end |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
161 |
|
0a6d2b79a8bf
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
162 module:provides("auth", provider); |
