}
static void
-oauth2_fail(struct oauth2_auth_request *oauth2_req, int code,
- const char *status)
+oauth2_fail(struct oauth2_auth_request *oauth2_req, const char *status)
{
struct auth_request *request = &oauth2_req->auth;
const char *oidc_url = (oauth2_req->db == NULL ? "" :
json_ostream_ndescend_object(joutput, NULL);
if (strcmp(request->mech->mech_name, "XOAUTH2") == 0) {
- status = dec2str(code);
+ if (strcmp(status, "invalid_token") == 0)
+ json_ostream_nwrite_string(joutput, "status", "401");
+ else if (strcmp(status, "insufficient_scope") == 0)
+ json_ostream_nwrite_string(joutput, "status", "403");
+ else
+ json_ostream_nwrite_string(joutput, "status", "400");
json_ostream_nwrite_string(joutput, "schemes", "bearer");
+ } else {
+ i_assert(strcmp(request->mech->mech_name, "OAUTHBEARER") == 0);
+ json_ostream_nwrite_string(joutput, "status", status);
}
-
- json_ostream_nwrite_string(joutput, "status", status);
json_ostream_nwrite_string(joutput, "scope", "mail");
json_ostream_nwrite_string(joutput, "openid-configuration", oidc_url);
json_ostream_nascend_object(joutput);
auth_request_fail_with_reply(request, str_data(reply), str_len(reply));
}
+static void oauth2_fail_invalid_request(struct oauth2_auth_request *oauth2_req)
+{
+ oauth2_fail(oauth2_req, "invalid_request");
+}
+
+static void oauth2_fail_invalid_token(struct oauth2_auth_request *oauth2_req)
+{
+ oauth2_fail(oauth2_req, "invalid_token");
+}
+
static void
oauth2_verify_callback(enum passdb_result result,
const unsigned char *credentials ATTR_UNUSED,
case PASSDB_RESULT_USER_DISABLED:
case PASSDB_RESULT_PASS_EXPIRED:
/* user is explicitly disabled, don't allow it to log in */
- oauth2_fail(oauth2_req, 403, "insufficient_scope");
- return;
+ oauth2_fail(oauth2_req, "insufficient_scope");
+ break;
case PASSDB_RESULT_PASSWORD_MISMATCH:
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail(oauth2_req, "invalid_token");
break;
case PASSDB_RESULT_NEXT:
case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
return;
}
if (data_size == 0) {
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail_invalid_request(oauth2_req);
return;
}
/* ensure initial field is OK */
if (*fields == NULL || *(fields[0]) == '\0') {
e_info(request->mech_event, "Invalid continued data");
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail_invalid_request(oauth2_req);
return;
}
case 'f':
e_info(request->mech_event,
"Client requested non-standard mechanism");
- oauth2_fail(oauth2_req, 400, "request_not_supported");
+ oauth2_fail_invalid_request(oauth2_req);
return;
case 'p':
/* channel binding is not supported */
e_info(request->mech_event,
"Client requested and used channel-binding");
- oauth2_fail(oauth2_req, 400, "request_not_supported");
+ oauth2_fail_invalid_request(oauth2_req);
return;
case 'n':
case 'y':
!oauth2_unescape_username((*ptr)+2, &username)) {
e_info(request->mech_event,
"Invalid username escaping");
- oauth2_fail(oauth2_req, 400, "invalid_request");
+ oauth2_fail_invalid_request(oauth2_req);
return;
} else {
user_given = TRUE;
default:
e_info(request->mech_event,
"Invalid gs2-header in request");
- oauth2_fail(oauth2_req, 400, "invalid_request");
+ oauth2_fail_invalid_request(oauth2_req);
return;
}
}
} else {
e_info(request->mech_event,
"Invalid continued data");
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail_invalid_token(oauth2_req);
return;
}
}
if (user_given &&
!auth_request_set_username(request, username, &error)) {
e_info(request->mech_event, "%s", error);
- oauth2_fail(oauth2_req, 400, "invalid_request");
+ oauth2_fail_invalid_request(oauth2_req);
return;
}
if (user_given && token != NULL)
mech_oauth2_verify_token(oauth2_req, token);
else if (token == NULL) {
e_info(request->mech_event, "Missing token");
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail_invalid_request(oauth2_req);
} else {
e_info(request->mech_event, "Missing username");
- oauth2_fail(oauth2_req, 401, "invalid_request");
+ oauth2_fail_invalid_request(oauth2_req);
}
}
return;
}
if (data_size == 0) {
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail_invalid_request(oauth2_req);
return;
}
} else {
e_info(request->mech_event,
"Invalid continued data");
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail_invalid_token(oauth2_req);
return;
}
}
if (user_given &&
!auth_request_set_username(request, username, &error)) {
e_info(request->mech_event, "%s", error);
- oauth2_fail(oauth2_req, 400, "invalid_request");
+ oauth2_fail_invalid_request(oauth2_req);
return;
}
if (user_given && token != NULL)
mech_oauth2_verify_token(oauth2_req, token);
else if (token == NULL) {
e_info(request->mech_event, "Missing token");
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail_invalid_request(oauth2_req);
} else {
e_info(request->mech_event, "Missing username");
- oauth2_fail(oauth2_req, 401, "invalid_token");
+ oauth2_fail_invalid_request(oauth2_req);
}
}
projects / thirdparty / dovecot / core.git / commitdiff
