comparison mod_http_oauth2/mod_http_oauth2.lua @ 6247:7cf1fcac9b94

mod_http_oauth2: Reorder metadata by source Following the order in which field are described in each specification. Also fills in `nil` fields that are defined but not used in this module. Tweaks some values to reflect current behavior.
author Kim Alvefur <zash@zash.se>
date Sat, 07 Jun 2025 22:02:18 +0200
parents 7e4238d2989c
children 28fd42866be9
comparison
equal deleted inserted replaced
6246:5955ec5c173e 6247:7cf1fcac9b94
1687 authorization_server_metadata = { 1687 authorization_server_metadata = {
1688 -- RFC 8414: OAuth 2.0 Authorization Server Metadata 1688 -- RFC 8414: OAuth 2.0 Authorization Server Metadata
1689 issuer = get_issuer(); 1689 issuer = get_issuer();
1690 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; 1690 authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil;
1691 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; 1691 token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil;
1692 jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata
1692 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; 1693 registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
1693 scopes_supported = usermanager.get_all_roles 1694 scopes_supported = usermanager.get_all_roles
1694 and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items())); 1695 and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items()));
1695 response_types_supported = array(it.keys(response_type_handlers)); 1696 response_types_supported = array(it.keys(response_type_handlers));
1696 token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" }); 1697 response_modes_supported = array(it.keys(response_type_handlers)):map(tmap { token = "fragment"; code = "query" });
1698 grant_types_supported = array(it.keys(grant_type_handlers));
1699 token_endpoint_auth_methods_supported = array({ "client_secret_basic"; "client_secret_post"; "none" });
1700 token_endpoint_auth_signing_alg_values_supported = nil;
1701 service_documentation = module:get_option_string("oauth2_service_documentation", "https://modules.prosody.im/mod_http_oauth2.html");
1702 ui_locales_supported = allowed_locales[1] and allowed_locales;
1697 op_policy_uri = module:get_option_string("oauth2_policy_url", nil); 1703 op_policy_uri = module:get_option_string("oauth2_policy_url", nil);
1698 op_tos_uri = module:get_option_string("oauth2_terms_url", nil); 1704 op_tos_uri = module:get_option_string("oauth2_terms_url", nil);
1699 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil; 1705 revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil;
1700 revocation_endpoint_auth_methods_supported = array({ "client_secret_basic" }); 1706 revocation_endpoint_auth_methods_supported = array({ "client_secret_basic"; "client_secret_post"; "none" });
1701 device_authorization_endpoint = handle_device_authorization_request and module:http_url() .. "/device"; 1707 revocation_endpoint_auth_signing_alg_values_supported = nil;
1702 introspection_endpoint = handle_introspection_request and module:http_url() .. "/introspect"; 1708 introspection_endpoint = handle_introspection_request and module:http_url() .. "/introspect";
1703 introspection_endpoint_auth_methods_supported = nil; 1709 introspection_endpoint_auth_methods_supported = nil;
1710 introspection_endpoint_auth_signing_alg_values_supported = nil;
1704 code_challenge_methods_supported = array(it.keys(verifier_transforms)); 1711 code_challenge_methods_supported = array(it.keys(verifier_transforms));
1705 grant_types_supported = array(it.keys(grant_type_handlers)); 1712
1706 response_modes_supported = array(it.keys(response_type_handlers)):map(tmap { token = "fragment"; code = "query" }); 1713 -- RFC 8628: OAuth 2.0 Device Authorization Grant
1714 device_authorization_endpoint = handle_device_authorization_request and module:http_url() .. "/device";
1715
1716 -- RFC 9207: OAuth 2.0 Authorization Server Issuer Identification
1707 authorization_response_iss_parameter_supported = true; 1717 authorization_response_iss_parameter_supported = true;
1708 service_documentation = module:get_option_string("oauth2_service_documentation", "https://modules.prosody.im/mod_http_oauth2.html"); 1718
1709 ui_locales_supported = allowed_locales[1] and allowed_locales; 1719 -- OpenID Connect Discovery 1.0
1710
1711 -- OpenID
1712 userinfo_endpoint = handle_userinfo_request and module:http_url() .. "/userinfo" or nil; 1720 userinfo_endpoint = handle_userinfo_request and module:http_url() .. "/userinfo" or nil;
1713 jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata
1714 id_token_signing_alg_values_supported = { "HS256" }; -- The algorithm RS256 MUST be included, but we use HS256 and client_secret as shared key. 1721 id_token_signing_alg_values_supported = { "HS256" }; -- The algorithm RS256 MUST be included, but we use HS256 and client_secret as shared key.
1715 } 1722 }
1716 return authorization_server_metadata; 1723 return authorization_server_metadata;
1717 end 1724 end
1718 1725