]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9c7f5a7)
lib-oauth2: Validate scope when configured
authorAki Tuomi <aki.tuomi@open-xchange.com>
Mon, 8 May 2023 05:38:20 +0000 (08:38 +0300)
committeraki.tuomi <aki.tuomi@open-xchange.com>
Tue, 29 Aug 2023 07:08:45 +0000 (07:08 +0000)
src/lib-oauth2/oauth2-jwt.c patch | blob | blame | history
src/lib-oauth2/test-oauth2-jwt.c patch | blob | blame | history

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index d4006f974b10ac1b5ebeee4fe729c096d073f317..bc7779fe1d1b127296237c1d15fcbbb34250aaa2 100644 (file)
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -337,6 +337,17 @@ oauth2_jwt_header_process(struct json_tree *tree, const char **alg_r,
        return 0;
 }
 
+static bool check_scope(const char *req, const char *got)
+{
+       const char *const *scope_req = t_strsplit_spaces(req, " ,");
+       const char *const *scope_got = t_strsplit_spaces(got, " ,");
+
+       for (; *scope_req != NULL; scope_req++)
+               if (!str_array_icase_find(scope_got, *scope_req))
+                       return FALSE;
+       return TRUE;
+}
+
 static int
 oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
                        const char *kid, ARRAY_TYPE(oauth2_field) *fields,
@@ -422,6 +433,22 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
                }
        }
 
+       const char *got_scope = get_field(tree, "scope");
+       const char *req_scope = set->scope;
+
+       if (req_scope != NULL && *req_scope != '\0') {
+               if (got_scope == NULL) {
+                       *error_r = "scope set but not found in token";
+                       return -1;
+               }
+
+               if (!check_scope(req_scope, got_scope)) {
+                       *error_r = t_strdup_printf("configured scope '%s' missing from token scope '%s'",
+                                                  req_scope, got_scope);
+                       return -1;
+               }
+       }
+
        /* see if there is azp */
        const char *azp = get_field(tree, "azp");
        if (azp == NULL)
diff --git a/src/lib-oauth2/test-oauth2-jwt.c b/src/lib-oauth2/test-oauth2-jwt.c
index dcf5e5e58b9ad98f2cedc44220cafe0c72b48d57..021c91f5525a7e6aa6b553716ab8f4e558975f1a 100644 (file)
--- a/src/lib-oauth2/test-oauth2-jwt.c
+++ b/src/lib-oauth2/test-oauth2-jwt.c
@@ -83,7 +83,6 @@ static int parse_jwt_token(struct oauth2_request *req, const char *token,
        struct oauth2_settings set;
 
        i_zero(&set);
-       set.scope = "mail";
        set.key_dict = keys_dict;
        set.key_cache = key_cache;
        i_zero(req);
Mirror of https://github.com/dovecot/core.git