prosody: util/sasl/oauthbearer.lua@c2a476f4712a (annotated)

12979 d10957394a3c util: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12955 diff changeset	1	local json = require "prosody.util.json";
12915 ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	2	local _ENV = nil;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	3
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	4
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	5	local function oauthbearer(self, message)
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	6	if not message then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	7	return "failure", "malformed-request";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	8	end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	9
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	10	if message == "\001" then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	11	return "failure", "not-authorized";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	12	end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	13
13116 b6aaab0846fe util.sasl.oauthbearer: Tighter parsing of SASL message Kim Alvefur <zash@zash.se> parents: 12979 diff changeset	14	-- gs2-header kvsep *kvpair kvsep
b6aaab0846fe util.sasl.oauthbearer: Tighter parsing of SASL message Kim Alvefur <zash@zash.se> parents: 12979 diff changeset	15	local gs2_header, kvpairs = message:match("^(n,[^,]*,)\001(.+)\001$");
12944 2aebd9bf02fc util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid Kim Alvefur <zash@zash.se> parents: 12942 diff changeset	16	if not gs2_header then
12915 ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	17	return "failure", "malformed-request";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	18	end
12944 2aebd9bf02fc util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid Kim Alvefur <zash@zash.se> parents: 12942 diff changeset	19	local gs2_authzid = gs2_header:match("^[^,],a=([^,]),$");
12915 ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	20
13116 b6aaab0846fe util.sasl.oauthbearer: Tighter parsing of SASL message Kim Alvefur <zash@zash.se> parents: 12979 diff changeset	21	-- key "=" value kvsep
12915 ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	22	local auth_header;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	23	for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	24	if k == "auth" then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	25	auth_header = v;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	26	break;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	27	end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	28	end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	29
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	30	if not auth_header then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	31	return "failure", "malformed-request";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	32	end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	33
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	34	local token = auth_header:match("^Bearer (.+)$");
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	35
12942 055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12941 diff changeset	36	local username, state, token_info = self.profile.oauthbearer(self, token, self.realm, gs2_authzid);
12915 ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	37
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	38	if state == false then
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	39	return "failure", "account-disabled";
12942 055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12941 diff changeset	40	elseif state == nil or not username then
12915 ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	41	-- For token-level errors, RFC 7628 demands use of a JSON-encoded
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	42	-- challenge response upon failure. We relay additional info from
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	43	-- the auth backend if available.
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	44	return "challenge", json.encode({
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	45	status = token_info and token_info.status or "invalid_token";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	46	scope = token_info and token_info.scope or nil;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	47	["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	48	});
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	49	end
12942 055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12941 diff changeset	50	self.username = username;
12941 23b20ede9c34 util.sasl.oauthbearer: Fix syntax error in b796e08e6376 Matthew Wild <mwild1@gmail.com> parents: 12940 diff changeset	51	self.token_info = token_info;
12940 b796e08e6376 util.sasl.oauthbearer: Attach token_info to sasl handler Matthew Wild <mwild1@gmail.com> parents: 12922 diff changeset	52
12915 ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	53	return "success";
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	54	end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	55
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	56	local function init(registerMechanism)
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	57	registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	58	end
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	59
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	60	return {
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	61	init = init;
ab1164eda011 util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) Matthew Wild <mwild1@gmail.com> parents: diff changeset	62	}

author	Kim Alvefur <zash@zash.se>
	Wed, 27 Mar 2024 19:33:11 +0100
changeset 13471	c2a476f4712a
parent 13116	b6aaab0846fe
permissions	-rw-r--r--