1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
local saslprep = require "util.encodings".stringprep.saslprep;
local nodeprep = require "util.encodings".stringprep.nodeprep;
local jid = require "util.jid";
local json = require "util.json";
local log = require "util.logger".init("sasl");
local _ENV = nil;
local function oauthbearer(self, message)
if not message then
return "failure", "malformed-request";
end
if message == "\001" then
return "failure", "not-authorized";
end
local gs2_authzid, kvpairs = message:match("n,a=([^,]+),(.+)$");
if not gs2_authzid then
return "failure", "malformed-request";
end
local auth_header;
for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do
if k == "auth" then
auth_header = v;
break;
end
end
if not auth_header then
return "failure", "malformed-request";
end
local username = jid.prepped_split(gs2_authzid);
if not username or username == "" then
return "failure", "malformed-request", "Expected authorization identity in the username@hostname format";
end
-- SASLprep username
username = saslprep(username);
if not username or username == "" then
log("debug", "Username violates SASLprep.");
return "failure", "malformed-request", "Invalid username.";
end
local _nodeprep = self.profile.nodeprep;
if _nodeprep ~= false then
username = (_nodeprep or nodeprep)(username);
if not username or username == "" then
return "failure", "malformed-request", "Invalid username or password."
end
end
self.username = username;
local token = auth_header:match("^Bearer (.+)$");
local correct, state, token_info = self.profile.oauthbearer(self, username, token, self.realm);
if state == false then
return "failure", "account-disabled";
elseif state == nil or not correct then
-- For token-level errors, RFC 7628 demands use of a JSON-encoded
-- challenge response upon failure. We relay additional info from
-- the auth backend if available.
return "challenge", json.encode({
status = token_info and token_info.status or "invalid_token";
scope = token_info and token_info.scope or nil;
["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil;
});
end
self.resource = token_info.resource;
self.role = token_info.role;
self.token_info token_info;
return "success";
end
local function init(registerMechanism)
registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);
end
return {
init = init;
}
|
