647 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); |
647 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); |
648 if not client_response_types:contains(params.response_type) then |
648 if not client_response_types:contains(params.response_type) then |
649 return oauth_error("invalid_client", "response_type not allowed"); |
649 return oauth_error("invalid_client", "response_type not allowed"); |
650 end |
650 end |
651 |
651 |
|
652 local requested_scopes = parse_scopes(params.scope or ""); |
|
653 if client.scope then |
|
654 local client_scopes = set.new(parse_scopes(client.scope)); |
|
655 requested_scopes:filter(function(scope) |
|
656 return client_scopes:contains(scope); |
|
657 end); |
|
658 end |
|
659 |
652 local auth_state = get_auth_state(request); |
660 local auth_state = get_auth_state(request); |
653 if not auth_state.user then |
661 if not auth_state.user then |
654 -- Render login page |
662 -- Render login page |
655 return render_page(templates.login, { state = auth_state, client = client }); |
663 return render_page(templates.login, { state = auth_state, client = client }); |
656 elseif auth_state.consent == nil then |
664 elseif auth_state.consent == nil then |
657 -- Render consent page |
665 -- Render consent page |
658 local scopes, roles = split_scopes(parse_scopes(params.scope or "")); |
666 local scopes, roles = split_scopes(requested_scopes); |
659 return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true); |
667 return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true); |
660 elseif not auth_state.consent then |
668 elseif not auth_state.consent then |
661 -- Notify client of rejection |
669 -- Notify client of rejection |
662 return error_response(request, oauth_error("access_denied")); |
670 return error_response(request, oauth_error("access_denied")); |
663 end |
671 end |
664 -- else auth_state.consent == true |
672 -- else auth_state.consent == true |
665 |
673 |
666 params.scope = auth_state.scope; |
674 local granted_scopes = auth_state.scopes |
|
675 if client.scope then |
|
676 local client_scopes = set.new(parse_scopes(client.scope)); |
|
677 granted_scopes:filter(function(scope) |
|
678 return client_scopes:contains(scope); |
|
679 end); |
|
680 end |
|
681 |
|
682 params.scope = granted_scopes:concat(" "); |
667 |
683 |
668 local user_jid = jid.join(auth_state.user.username, module.host); |
684 local user_jid = jid.join(auth_state.user.username, module.host); |
669 local client_secret = make_client_secret(params.client_id); |
685 local client_secret = make_client_secret(params.client_id); |
670 local id_token_signer = jwt.new_signer("HS256", client_secret); |
686 local id_token_signer = jwt.new_signer("HS256", client_secret); |
671 local id_token = id_token_signer({ |
687 local id_token = id_token_signer({ |