diff options
Diffstat (limited to 'sca-cpp/trunk/modules/oauth/mod-oauth2.cpp')
-rw-r--r-- | sca-cpp/trunk/modules/oauth/mod-oauth2.cpp | 123 |
1 files changed, 70 insertions, 53 deletions
diff --git a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp index ace611d3dc..dbede7ed8b 100644 --- a/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp +++ b/sca-cpp/trunk/modules/oauth/mod-oauth2.cpp @@ -83,7 +83,7 @@ public: * Return the user info for a session. */ const failable<value> userInfo(const value& sid, const memcache::MemCached& mc) { - return memcache::get(mklist<value>("tuscanyOpenAuth", sid), mc); + return memcache::get(mklist<value>("tuscanyOAuth2", sid), mc); } /** @@ -126,25 +126,35 @@ const failable<int> authenticated(const list<list<value> >& attrs, const list<li */ const failable<int> authorize(const list<list<value> >& args, request_rec* r, const list<list<value> >& appkeys) { // Extract authorize, access_token, client ID and info URIs - const list<value> auth = assoc<value>("mod_oauth2_authorize", args); + const list<value> ref = assoc<value>("openauth_referrer", args); + if (isNil(ref) || isNil(cdr(ref))) + return mkfailure<int>("Missing openauth_referrer parameter"); + const list<value> auth = assoc<value>("oauth2_authorize", args); if (isNil(auth) || isNil(cdr(auth))) - return mkfailure<int>("Missing mod_oauth2_authorize parameter"); - const list<value> tok = assoc<value>("mod_oauth2_access_token", args); + return mkfailure<int>("Missing oauth2_authorize parameter"); + const list<value> tok = assoc<value>("oauth2_access_token", args); if (isNil(tok) || isNil(cdr(tok))) - return mkfailure<int>("Missing mod_oauth2_access_token parameter"); - const list<value> cid = assoc<value>("mod_oauth2_client_id", args); + return mkfailure<int>("Missing oauth2_access_token parameter"); + const list<value> cid = assoc<value>("oauth2_client_id", args); if (isNil(cid) || isNil(cdr(cid))) - return mkfailure<int>("Missing mod_oauth2_client_id parameter"); - const list<value> info = assoc<value>("mod_oauth2_info", args); + return mkfailure<int>("Missing oauth2_client_id parameter"); + const list<value> info = assoc<value>("oauth2_info", args); if (isNil(info) || isNil(cdr(info))) - return mkfailure<int>("Missing mod_oauth2_info parameter"); - const list<value> display = assoc<value>("mod_oauth2_display", args); + return mkfailure<int>("Missing oauth2_info parameter"); + const list<value> scope = assoc<value>("oauth2_scope", args); + if (isNil(scope) || isNil(cdr(scope))) + return mkfailure<int>("Missing oauth2_scope parameter"); + const list<value> display = assoc<value>("oauth2_display", args); // Build the redirect URI - const list<list<value> > rargs = mklist<list<value> >(mklist<value>("mod_oauth2_step", "access_token"), tok, cid, info); - const string redir = httpd::url(r->uri, r) + string("?") + http::queryString(rargs); + const string redir = httpd::url("/oauth2/access_token/", r); debug(redir, "modoauth2::authorize::redir"); + // Build the state URI + const list<list<value> > stargs = mklist<list<value> >(tok, cid, info, ref); + const string state = http::queryString(stargs); + debug(state, "modoauth2::authorize::state"); + // Lookup client app configuration const list<value> app = assoc<value>(cadr(cid), appkeys); if (isNil(app) || isNil(cdr(app))) @@ -153,7 +163,7 @@ const failable<int> authorize(const list<list<value> >& args, request_rec* r, co // Redirect to the authorize URI const list<value> adisplay = (isNil(display) || isNil(cdr(display)))? list<value>() : mklist<value>("display", cadr(display)); - const list<list<value> > aargs = mklist<list<value> >(mklist<value>("client_id", car(appkey)), mklist<value>("scope", "email"), adisplay, mklist<value>("redirect_uri", httpd::escape(redir))); + const list<list<value> > aargs = mklist<list<value> >(mklist<value>("response_type", "code"), mklist<value>("client_id", car(appkey)), mklist<value>("scope", cadr(scope)), adisplay, mklist<value>("redirect_uri", httpd::escape(redir)), mklist<value>("state", httpd::escape(state))); const string uri = httpd::unescape(cadr(auth)) + string("?") + http::queryString(aargs); debug(uri, "modoauth2::authorize::uri"); return httpd::externalRedirect(uri, r); @@ -172,16 +182,23 @@ const failable<list<value> > profileUserInfo(const value& cid, const list<value> * Handle an access_token request. */ const failable<int> accessToken(const list<list<value> >& args, request_rec* r, const list<list<value> >& appkeys, const perthread_ptr<http::CURLSession>& cs, const memcache::MemCached& mc) { - // Extract access_token URI, client ID and authorization code - const list<value> tok = assoc<value>("mod_oauth2_access_token", args); + // Extract access_token URI, client ID and authorization code parameters + const list<value> state = assoc<value>("state", args); + if (isNil(state) || isNil(cdr(state))) + return mkfailure<int>("Missing state parameter"); + const list<list<value> >& stargs = httpd::queryArgs(httpd::unescape(cadr(state))); + const list<value> ref = assoc<value>("openauth_referrer", stargs); + if (isNil(ref) || isNil(cdr(ref))) + return mkfailure<int>("Missing openauth_referrer parameter"); + const list<value> tok = assoc<value>("oauth2_access_token", stargs); if (isNil(tok) || isNil(cdr(tok))) - return mkfailure<int>("Missing mod_oauth2_access_token parameter"); - const list<value> cid = assoc<value>("mod_oauth2_client_id", args); + return mkfailure<int>("Missing oauth2_access_token parameter"); + const list<value> cid = assoc<value>("oauth2_client_id", stargs); if (isNil(cid) || isNil(cdr(cid))) - return mkfailure<int>("Missing mod_oauth2_client_id parameter"); - const list<value> info = assoc<value>("mod_oauth2_info", args); + return mkfailure<int>("Missing oauth2_client_id parameter"); + const list<value> info = assoc<value>("oauth2_info", stargs); if (isNil(info) || isNil(cdr(info))) - return mkfailure<int>("Missing mod_oauth2_info parameter"); + return mkfailure<int>("Missing oauth2_info parameter"); const list<value> code = assoc<value>("code", args); if (isNil(code) || isNil(cdr(code))) return mkfailure<int>("Missing code parameter"); @@ -193,19 +210,26 @@ const failable<int> accessToken(const list<list<value> >& args, request_rec* r, list<value> appkey = cadr(app); // Build the redirect URI - const list<list<value> > rargs = mklist<list<value> >(mklist<value>("mod_oauth2_step", "access_token"), tok, cid, info); - const string redir = httpd::url(r->uri, r) + string("?") + http::queryString(rargs); + const string redir = httpd::url("/oauth2/access_token/", r); debug(redir, "modoauth2::access_token::redir"); // Request access token - const list<list<value> > targs = mklist<list<value> >(mklist<value>("client_id", car(appkey)), mklist<value>("redirect_uri", httpd::escape(redir)), mklist<value>("client_secret", cadr(appkey)), code); - const string turi = httpd::unescape(cadr(tok)) + string("?") + http::queryString(targs); + const list<list<value> > targs = mklist<list<value> >(mklist<value>("client_id", car(appkey)), mklist<value>("redirect_uri", httpd::escape(redir)), mklist<value>("client_secret", cadr(appkey)), code, mklist<value>("grant_type", "authorization_code")); + const string tqs = http::queryString(targs); + debug(tqs, "modoauth2::access_token::tokenqs"); + const string turi = httpd::unescape(cadr(tok)); debug(turi, "modoauth2::access_token::tokenuri"); - const failable<value> tr = http::get(turi, *(cs)); - if (!hasContent(tr)) - return mkfailure<int>(reason(tr)); + const value tval = mklist<value>(string("application/x-www-form-urlencoded;charset=UTF-8"), mklist<value>(tqs)); + const failable<value> ftr = http::post(tval, turi, *(cs)); + if (!hasContent(ftr)) + return mkfailure<int>(reason(ftr)); + const value tr = content(ftr); debug(tr, "modoauth2::access_token::response"); - const list<value> tv = assoc<value>("access_token", httpd::queryArgs(join("", convertValues<string>(cadr<value>(content(tr)))))); + if (!isList(tr) || isNil(tr)) + return mkfailure<int>("Empty access token"); + const list<value> tv = isString(car<value>(tr)) ? + assoc<value>("access_token", httpd::queryArgs(join("", convertValues<string>(cadr<value>(tr))))) : + assoc<value>("access_token", tr); if (isNil(tv) || isNil(cdr(tv))) return mkfailure<int>("Couldn't retrieve access_token"); debug(tv, "modoauth2::access_token::token"); @@ -227,14 +251,14 @@ const failable<int> accessToken(const list<list<value> >& args, request_rec* r, // Store user info in memcached keyed by session ID const value sid = string("OAuth2_") + mkrand(); - const failable<bool> prc = memcache::put(mklist<value>("tuscanyOpenAuth", sid), content(iv), mc); + const failable<bool> prc = memcache::put(mklist<value>("tuscanyOAuth2", sid), content(iv), mc); if (!hasContent(prc)) return mkfailure<int>(reason(prc)); // Send session ID to the client in a cookie - debug(c_str(openauth::cookie(sid, httpd::hostName(r))), "modoauth2::access_token::setcookie"); - apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie(sid, httpd::hostName(r)))); - return httpd::externalRedirect(httpd::url(r->uri, r), r); + debug(c_str(openauth::cookie("TuscanyOAuth2", sid, httpd::hostName(r))), "modoauth2::access_token::setcookie"); + apr_table_set(r->err_headers_out, "Set-Cookie", c_str(openauth::cookie("TuscanyOAuth2", sid, httpd::hostName(r)))); + return httpd::externalRedirect(httpd::url(httpd::unescape(cadr(ref)), r), r); } /** @@ -246,6 +270,7 @@ static int checkAuthn(request_rec *r) { if (!dc.enabled) return DECLINED; const char* atype = ap_auth_type(r); + debug(atype, "modopenauth::checkAuthn::auth_type"); if (atype == NULL || strcasecmp(atype, "Open")) return DECLINED; @@ -253,11 +278,11 @@ static int checkAuthn(request_rec *r) { gc_scoped_pool pool(r->pool); // Get the server configuration - httpdDebugRequest(r, "modoauth2::checkAuthn::input"); + debug_httpdRequest(r, "modoauth2::checkAuthn::input"); const ServerConf& sc = httpd::serverConf<ServerConf>(r, &mod_tuscany_oauth2); // Get session id from the request - const maybe<string> sid = openauth::sessionID(r); + const maybe<string> sid = openauth::sessionID(r, "TuscanyOAuth2"); if (hasContent(sid)) { // Decline if the session id was not created by this module if (substr(content(sid), 0, 7) != "OAuth2_") @@ -271,33 +296,25 @@ static int checkAuthn(request_rec *r) { } } - // Get the request args - const list<list<value> > args = httpd::queryArgs(r); - - // Decline if the request is for another authentication provider - if (!isNil(assoc<value>("openid_identifier", args))) - return DECLINED; - if (!isNil(assoc<value>("mod_oauth1_step", args))) - return DECLINED; - - // Determine the OAuth protocol flow step, conveniently passed - // around in a request arg - const list<value> sl = assoc<value>("mod_oauth2_step", args); - const value step = !isNil(sl) && !isNil(cdr(sl))? cadr(sl) : ""; - // Handle OAuth authorize request step - if (step == "authorize") { + if (string(r->uri) == "/oauth2/authorize/") { r->ap_auth_type = const_cast<char*>(atype); - return httpd::reportStatus(authorize(args, r, sc.appkeys)); + return httpd::reportStatus(authorize(httpd::queryArgs(r), r, sc.appkeys)); } // Handle OAuth access_token request step - if (step == "access_token") { + if (string(r->uri) == "/oauth2/access_token/") { r->ap_auth_type = const_cast<char*>(atype); - return httpd::reportStatus(accessToken(args, r, sc.appkeys, sc.cs, sc.mc)); + return httpd::reportStatus(accessToken(httpd::queryArgs(r), r, sc.appkeys, sc.cs, sc.mc)); } - // Redirect to the login page + // Redirect to the login page, unless we have a session id from another module + if (hasContent(openauth::sessionID(r, "TuscanyOpenIDAuth")) || + hasContent(openauth::sessionID(r, "TuscanyOpenAuth")) || + hasContent(openauth::sessionID(r, "TuscanyOAuth1"))) + return DECLINED; + if ((substr(string(r->uri), 0, 8) == "/oauth1/") || !isNil(assoc<value>("openid_identifier", httpd::queryArgs(r)))) + return DECLINED; r->ap_auth_type = const_cast<char*>(atype); return httpd::reportStatus(openauth::login(dc.login, r)); } |