summaryrefslogtreecommitdiffstats
path: root/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'sca-cpp/trunk/modules/oauth/mod-oauth2.cpp')
-rw-r--r--sca-cpp/trunk/modules/oauth/mod-oauth2.cpp123
1 files changed, 70 insertions, 53 deletions
diff --git a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
index ace611d3dc..dbede7ed8b 100644
--- a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
+++ b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp
@@ -83,7 +83,7 @@ public:
* Return the user info for a session.
*/
const failable<value> userInfo(const value& sid, const memcache::MemCached& mc) {
- return memcache::get(mklist<value>("tuscanyOpenAuth", sid), mc);
+ return memcache::get(mklist<value>("tuscanyOAuth2", sid), mc);
}
/**
@@ -126,25 +126,35 @@ const failable<int> authenticated(const list<list<value> >& attrs, const list<li
*/
const failable<int> authorize(const list<list<value> >& args, request_rec* r, const list<list<value> >& appkeys) {
// Extract authorize, access_token, client ID and info URIs
- const list<value> auth = assoc<value>("mod_oauth2_authorize", args);
+ const list<value> ref = assoc<value>("openauth_referrer", args);
+ if (isNil(ref) || isNil(cdr(ref)))
+ return mkfailure<int>("Missing openauth_referrer parameter");
+ const list<value> auth = assoc<value>("oauth2_authorize", args);
if (isNil(auth) || isNil(cdr(auth)))
- return mkfailure<int>("Missing mod_oauth2_authorize parameter");
- const list<value> tok = assoc<value>("mod_oauth2_access_token", args);
+ return mkfailure<int>("Missing oauth2_authorize parameter");
+ const list<value> tok = assoc<value>("oauth2_access_token", args);
if (isNil(tok) || isNil(cdr(tok)))
- return mkfailure<int>("Missing mod_oauth2_access_token parameter");
- const list<value> cid = assoc<value>("mod_oauth2_client_id", args);
+ return mkfailure<int>("Missing oauth2_access_token parameter");
+ const list<value> cid = assoc<value>("oauth2_client_id", args);
if (isNil(cid) || isNil(cdr(cid)))
- return mkfailure<int>("Missing mod_oauth2_client_id parameter");
- const list<value> info = assoc<value>("mod_oauth2_info", args);
+ return mkfailure<int>("Missing oauth2_client_id parameter");
+ const list<value> info = assoc<value>("oauth2_info", args);
if (isNil(info) || isNil(cdr(info)))
- return mkfailure<int>("Missing mod_oauth2_info parameter");
- const list<value> display = assoc<value>("mod_oauth2_display", args);
+ return mkfailure<int>("Missing oauth2_info parameter");
+ const list<value> scope = assoc<value>("oauth2_scope", args);
+ if (isNil(scope) || isNil(cdr(scope)))
+ return mkfailure<int>("Missing oauth2_scope parameter");
+ const list<value> display = assoc<value>("oauth2_display", args);
// Build the redirect URI
- const list<list<value> > rargs = mklist<list<value> >(mklist<value>("mod_oauth2_step", "access_token"), tok, cid, info);
- const string redir = httpd::url(r->uri, r) + string("?") + http::queryString(rargs);
+ const string redir = httpd::url("/oauth2/access_token/", r);
debug(redir, "modoauth2::authorize::redir");
+ // Build the state URI
+ const list<list<value> > stargs = mklist<list<value> >(tok, cid, info, ref);
+ const string state = http::queryString(stargs);
+ debug(state, "modoauth2::authorize::state");
+
// Lookup client app configuration
const list<value> app = assoc<value>(cadr(cid), appkeys);
if (isNil(app) || isNil(cdr(app)))
@@ -153,7 +163,7 @@ const failable<int> authorize(const list<list<value> >& args, request_rec* r, co
// Redirect to the authorize URI
const list<value> adisplay = (isNil(display) || isNil(cdr(display)))? list<value>() : mklist<value>("display", cadr(display));
- const list<list<value> > aargs = mklist<list<value> >(mklist<value>("client_id", car(appkey)), mklist<value>("scope", "email"), adisplay, mklist<value>("redirect_uri", httpd::escape(redir)));
+ const list<list<value> > aargs = mklist<list<value> >(mklist<value>("response_type", "code"), mklist<value>("client_id", car(appkey)), mklist<value>("scope", cadr(scope)), adisplay, mklist<value>("redirect_uri", httpd::escape(redir)), mklist<value>("state", httpd::escape(state)));
const string uri = httpd::unescape(cadr(auth)) + string("?") + http::queryString(aargs);
debug(uri, "modoauth2::authorize::uri");
return httpd::externalRedirect(uri, r);
@@ -172,16 +182,23 @@ const failable<list<value> > profileUserInfo(const value& cid, const list<value>
* Handle an access_token request.
*/
const failable<int> accessToken(const list<list<value> >& args, request_rec* r, const list<list<value> >& appkeys, const perthread_ptr<http::CURLSession>& cs, const memcache::MemCached& mc) {
- // Extract access_token URI, client ID and authorization code
- const list<value> tok = assoc<value>("mod_oauth2_access_token", args);
+ // Extract access_token URI, client ID and authorization code parameters
+ const list<value> state = assoc<value>("state", args);
+ if (isNil(state) || isNil(cdr(state)))
+ return mkfailure<int>("Missing state parameter");
+ const list<list<value> >& stargs = httpd::queryArgs(httpd::unescape(cadr(state)));
+ const list<value> ref = assoc<value>("openauth_referrer", stargs);
+ if (isNil(ref) || isNil(cdr(ref)))
+ return mkfailure<int>("Missing openauth_referrer parameter");
+ const list<value> tok = assoc<value>("oauth2_access_token", stargs);
if (isNil(tok) || isNil(cdr(tok)))
- return mkfailure<int>("Missing mod_oauth2_access_token parameter");
- const list<value> cid = assoc<value>("mod_oauth2_client_id", args);
+ return mkfailure<int>("Missing oauth2_access_token parameter");
+ const list<value> cid = assoc<value>("oauth2_client_id", stargs);
if (isNil(cid) || isNil(cdr(cid)))
- return mkfailure<int>("Missing mod_oauth2_client_id parameter");
- const list<value> info = assoc<value>("mod_oauth2_info", args);
+ return mkfailure<int>("Missing oauth2_client_id parameter");
+ const list<value> info = assoc<value>("oauth2_info", stargs);
if (isNil(info) || isNil(cdr(info)))
- return mkfailure<int>("Missing mod_oauth2_info parameter");
+ return mkfailure<int>("Missing oauth2_info parameter");
const list<value> code = assoc<value>("code", args);
if (isNil(code) || isNil(cdr(code)))
return mkfailure<int>("Missing code parameter");
@@ -193,19 +210,26 @@ const failable<int> accessToken(const list<list<value> >& args, request_rec* r,
list<value> appkey = cadr(app);
// Build the redirect URI
- const list<list<value> > rargs = mklist<list<value> >(mklist<value>("mod_oauth2_step", "access_token"), tok, cid, info);
- const string redir = httpd::url(r->uri, r) + string("?") + http::queryString(rargs);
+ const string redir = httpd::url("/oauth2/access_token/", r);
debug(redir, "modoauth2::access_token::redir");
// Request access token
- const list<list<value> > targs = mklist<list<value> >(mklist<value>("client_id", car(appkey)), mklist<value>("redirect_uri", httpd::escape(redir)), mklist<value>("client_secret", cadr(appkey)), code);
- const string turi = httpd::unescape(cadr(tok)) + string("?") + http::queryString(targs);
+ const list<list<value> > targs = mklist<list<value> >(mklist<value>("client_id", car(appkey)), mklist<value>("redirect_uri", httpd::escape(redir)), mklist<value>("client_secret", cadr(appkey)), code, mklist<value>("grant_type", "authorization_code"));
+ const string tqs = http::queryString(targs);
+ debug(tqs, "modoauth2::access_token::tokenqs");
+ const string turi = httpd::unescape(cadr(tok));
debug(turi, "modoauth2::access_token::tokenuri");
- const failable<value> tr = http::get(turi, *(cs));
- if (!hasContent(tr))
- return mkfailure<int>(reason(tr));
+ const value tval = mklist<value>(string("application/x-www-form-urlencoded;charset=UTF-8"), mklist<value>(tqs));
+ const failable<value> ftr = http::post(tval, turi, *(cs));
+ if (!hasContent(ftr))
+ return mkfailure<int>(reason(ftr));
+ const value tr = content(ftr);
debug(tr, "modoauth2::access_token::response");
- const list<value> tv = assoc<value>("access_token", httpd::queryArgs(join("", convertValues<string>(cadr<value>(content(tr))))));
+ if (!isList(tr) || isNil(tr))
+ return mkfailure<int>("Empty access token");
+ const list<value> tv = isString(car<value>(tr)) ?
+ assoc<value>("access_token", httpd::queryArgs(join("", convertValues<string>(cadr<value>(tr))))) :
+ assoc<value>("access_token", tr);
if (isNil(tv) || isNil(cdr(tv)))
return mkfailure<int>("Couldn't retrieve access_token");
debug(tv, "modoauth2::access_token::token");
@@ -227,14 +251,14 @@ const failable<int> accessToken(const list<list<value> >& args, request_rec* r,
// Store user info in memcached keyed by session ID
const value sid = string("OAuth2_") + mkrand();
- const failable<bool> prc = memcache::put(mklist<value>("tuscanyOpenAuth", sid), content(iv), mc);
+ const failable<bool> prc = memcache::put(mklist<value>("tuscanyOAuth2", sid), content(iv), mc);
if (!hasContent(prc))
return mkfailure<int>(reason(prc));
// Send session ID to the client in a cookie
- debug(c_str(openauth::cookie(sid, httpd::hostName(r))), "modoauth2::access_token::setcookie");
- apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(r))));
- return httpd::externalRedirect(httpd::url(r->uri, r), r);
+ debug(c_str(openauth::cookie("TuscanyOAuth2", sid, httpd::hostName(r))), "modoauth2::access_token::setcookie");
+ apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie("TuscanyOAuth2", sid, httpd::hostName(r))));
+ return httpd::externalRedirect(httpd::url(httpd::unescape(cadr(ref)), r), r);
}
/**
@@ -246,6 +270,7 @@ static int checkAuthn(request_rec *r) {
if (!dc.enabled)
return DECLINED;
const char* atype = ap_auth_type(r);
+ debug(atype, "modopenauth::checkAuthn::auth_type");
if (atype == NULL || strcasecmp(atype, "Open"))
return DECLINED;
@@ -253,11 +278,11 @@ static int checkAuthn(request_rec *r) {
gc_scoped_pool pool(r->pool);
// Get the server configuration
- httpdDebugRequest(r, "modoauth2::checkAuthn::input");
+ debug_httpdRequest(r, "modoauth2::checkAuthn::input");
const ServerConf& sc = httpd::serverConf<ServerConf>(r, &mod_tuscany_oauth2);
// Get session id from the request
- const maybe<string> sid = openauth::sessionID(r);
+ const maybe<string> sid = openauth::sessionID(r, "TuscanyOAuth2");
if (hasContent(sid)) {
// Decline if the session id was not created by this module
if (substr(content(sid), 0, 7) != "OAuth2_")
@@ -271,33 +296,25 @@ static int checkAuthn(request_rec *r) {
}
}
- // Get the request args
- const list<list<value> > args = httpd::queryArgs(r);
-
- // Decline if the request is for another authentication provider
- if (!isNil(assoc<value>("openid_identifier", args)))
- return DECLINED;
- if (!isNil(assoc<value>("mod_oauth1_step", args)))
- return DECLINED;
-
- // Determine the OAuth protocol flow step, conveniently passed
- // around in a request arg
- const list<value> sl = assoc<value>("mod_oauth2_step", args);
- const value step = !isNil(sl) && !isNil(cdr(sl))? cadr(sl) : "";
-
// Handle OAuth authorize request step
- if (step == "authorize") {
+ if (string(r->uri) == "/oauth2/authorize/") {
r->ap_auth_type = const_cast<char*>(atype);
- return httpd::reportStatus(authorize(args, r, sc.appkeys));
+ return httpd::reportStatus(authorize(httpd::queryArgs(r), r, sc.appkeys));
}
// Handle OAuth access_token request step
- if (step == "access_token") {
+ if (string(r->uri) == "/oauth2/access_token/") {
r->ap_auth_type = const_cast<char*>(atype);
- return httpd::reportStatus(accessToken(args, r, sc.appkeys, sc.cs, sc.mc));
+ return httpd::reportStatus(accessToken(httpd::queryArgs(r), r, sc.appkeys, sc.cs, sc.mc));
}
- // Redirect to the login page
+ // Redirect to the login page, unless we have a session id from another module
+ if (hasContent(openauth::sessionID(r, "TuscanyOpenIDAuth")) ||
+ hasContent(openauth::sessionID(r, "TuscanyOpenAuth")) ||
+ hasContent(openauth::sessionID(r, "TuscanyOAuth1")))
+ return DECLINED;
+ if ((substr(string(r->uri), 0, 8) == "/oauth1/") || !isNil(assoc<value>("openid_identifier", httpd::queryArgs(r))))
+ return DECLINED;
r->ap_auth_type = const_cast<char*>(atype);
return httpd::reportStatus(openauth::login(dc.login, r));
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-14 03:45:07 +0000