aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--plugins/mod_tokenauth.lua12
-rw-r--r--util/sasl/oauthbearer.lua36
2 files changed, 10 insertions, 38 deletions
diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index 03f6b961..f1bd084a 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -125,19 +125,21 @@ function revoke_token(token)
end
function sasl_handler(auth_provider, purpose, extra)
- return function (_, username, token, realm)
+ return function (sasl, token, realm, _authzid)
local token_info, err = get_token_info(token);
if not token_info then
module:log("debug", "SASL handler failed to verify token: %s", err);
return nil, nil, extra;
end
- local token_user, token_host = jid.split(token_info.jid);
- if username ~= token_user or realm ~= token_host or (purpose and token_info.purpose ~= purpose) then
+ local token_user, token_host, resource = jid.split(token_info.jid);
+ if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then
return nil, nil, extra;
end
- if auth_provider.is_enabled and not auth_provider.is_enabled(username) then
+ if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then
return true, false, token_info;
end
- return true, true, token_info;
+ sasl.resource = resource;
+ sasl.token_info = token_info;
+ return token_user, true, token_info;
end;
end
diff --git a/util/sasl/oauthbearer.lua b/util/sasl/oauthbearer.lua
index 939c5385..490a205f 100644
--- a/util/sasl/oauthbearer.lua
+++ b/util/sasl/oauthbearer.lua
@@ -1,8 +1,4 @@
-local saslprep = require "util.encodings".stringprep.saslprep;
-local nodeprep = require "util.encodings".stringprep.nodeprep;
-local jid = require "util.jid";
local json = require "util.json";
-local log = require "util.logger".init("sasl");
local _ENV = nil;
@@ -32,37 +28,13 @@ local function oauthbearer(self, message)
return "failure", "malformed-request";
end
- local username = jid.prepped_split(gs2_authzid);
-
- if not username or username == "" then
- return "failure", "malformed-request", "Expected authorization identity in the username@hostname format";
- end
-
- -- SASLprep username
- username = saslprep(username);
-
- if not username or username == "" then
- log("debug", "Username violates SASLprep.");
- return "failure", "malformed-request", "Invalid username.";
- end
-
- local _nodeprep = self.profile.nodeprep;
- if _nodeprep ~= false then
- username = (_nodeprep or nodeprep)(username);
- if not username or username == "" then
- return "failure", "malformed-request", "Invalid username or password."
- end
- end
-
- self.username = username;
-
local token = auth_header:match("^Bearer (.+)$");
- local correct, state, token_info = self.profile.oauthbearer(self, username, token, self.realm);
+ local username, state, token_info = self.profile.oauthbearer(self, token, self.realm, gs2_authzid);
if state == false then
return "failure", "account-disabled";
- elseif state == nil or not correct then
+ elseif state == nil or not username then
-- For token-level errors, RFC 7628 demands use of a JSON-encoded
-- challenge response upon failure. We relay additional info from
-- the auth backend if available.
@@ -72,9 +44,7 @@ local function oauthbearer(self, message)
["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil;
});
end
-
- self.resource = token_info.resource;
- self.role = token_info.role;
+ self.username = username;
self.token_info = token_info;
return "success";
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 11:45:10 +0000