79 |
79 |
80 local function parse_scopes(scope_string) |
80 local function parse_scopes(scope_string) |
81 return array(scope_string:gmatch("%S+")); |
81 return array(scope_string:gmatch("%S+")); |
82 end |
82 end |
83 |
83 |
84 local openid_claims = set.new({ "profile"; "email"; "address"; "phone" }); |
84 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" }); |
85 |
85 |
86 local function filter_scopes(username, requested_scope_string) |
86 local function filter_scopes(username, requested_scope_string) |
87 local selected_role, granted_scopes = nil, array(); |
87 local selected_role, granted_scopes = nil, array(); |
88 |
88 |
89 if requested_scope_string then -- Specific role(s) requested |
89 if requested_scope_string then -- Specific role(s) requested |
90 local requested_scopes = parse_scopes(requested_scope_string); |
90 local requested_scopes = parse_scopes(requested_scope_string); |
91 for _, scope in ipairs(requested_scopes) do |
91 for _, scope in ipairs(requested_scopes) do |
92 if scope == "openid" or openid_claims:contains(scope) then |
92 if openid_claims:contains(scope) then |
93 granted_scopes:push(scope); |
93 granted_scopes:push(scope); |
94 end |
94 end |
95 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then |
95 if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then |
96 selected_role = scope; |
96 selected_role = scope; |
97 end |
97 end |
806 iss = get_issuer(); |
806 iss = get_issuer(); |
807 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); |
807 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); |
808 } |
808 } |
809 |
809 |
810 local token_claims = set.intersection(openid_claims, scopes); |
810 local token_claims = set.intersection(openid_claims, scopes); |
|
811 token_claims:remove("openid"); -- that's "iss" and "sub" above |
811 if not token_claims:empty() then |
812 if not token_claims:empty() then |
812 -- Another module can do that |
813 -- Another module can do that |
813 module:fire_event("token/userinfo", { |
814 module:fire_event("token/userinfo", { |
814 token = token_info; |
815 token = token_info; |
815 claims = token_claims; |
816 claims = token_claims; |