--- a/mod_http_oauth2/mod_http_oauth2.lua Wed May 17 18:49:22 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Wed May 17 19:40:27 2023 +0200
@@ -102,7 +102,7 @@
return array(scope_string:gmatch("%S+"));
end
-local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" });
+local openid_claims = set.new({ "openid"; "profile"; "email"; "address"; "phone" });
-- array -> array, array, array
local function split_scopes(scope_list)
@@ -111,7 +111,7 @@
for _, scope in ipairs(scope_list) do
if openid_claims:contains(scope) then
claims:push(scope);
- elseif all_roles[scope] then
+ elseif scope == "xmpp" or all_roles[scope] then
roles:push(scope);
else
unknown:push(scope);
@@ -121,7 +121,7 @@
end
local function can_assume_role(username, requested_role)
- return usermanager.user_can_assume_role(username, module.host, requested_role);
+ return requested_role == "xmpp" or usermanager.user_can_assume_role(username, module.host, requested_role);
end
-- function (string) : function(string) : boolean
@@ -223,6 +223,12 @@
refresh_token = refresh_token_info.token;
end
+ if role == "xmpp" then
+ -- Special scope meaning the users default role.
+ local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host);
+ role = user_default_role and user_default_role.name;
+ end
+
local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2");
local expires_at = access_token_info.expires;
@@ -1080,7 +1086,8 @@
authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil;
token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil;
registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
- scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):append(array(openid_claims:items()));
+ scopes_supported = usermanager.get_all_roles
+ and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items()));
response_types_supported = array(it.keys(response_type_handlers));
token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" });
op_policy_uri = module:get_option_string("oauth2_policy_url", nil);