mod_http_oauth2: Add support for the "openid" scope
This "openid" scope is there to signal access to the userinfo endpoint,
which is needed for OIDC support.
We don't actually check this later because the userinfo endpoint only
returns info embedded in the token itself, but in the future we may want
to check this more carefully.
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 16 17:03:48 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 16 17:06:35 2023 +0100
@@ -88,6 +88,9 @@
if requested_scope_string then -- Specific role(s) requested
local requested_scopes = parse_scopes(requested_scope_string);
for _, scope in ipairs(requested_scopes) do
+ if scope == "openid" then
+ granted_scopes:push(scope);
+ end
if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then
selected_role = scope;
end
@@ -772,8 +775,8 @@
jwks_uri = nil; -- TODO?
userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil;
registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
- scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host)))
- or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator" };
+ scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):push("openid")
+ or { "prosody:restricted"; "prosody:user"; "prosody:admin"; "prosody:operator"; "openid" };
response_types_supported = array(it.keys(response_type_handlers));
authorization_response_iss_parameter_supported = true;
};