]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 386848e)
lib-oauth2: Validate scope when configured
authorAki Tuomi <aki.tuomi@open-xchange.com>
Mon, 8 May 2023 05:38:20 +0000 (08:38 +0300)
committerAki Tuomi <aki.tuomi@open-xchange.com>
Thu, 11 May 2023 11:35:54 +0000 (14:35 +0300)
src/lib-oauth2/oauth2-jwt.c patch | blob | blame | history
src/lib-oauth2/test-oauth2-jwt.c patch | blob | blame | history

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index bb7c8e763adec3ffd0441212a1303c8f6b684033..ce9c76ec261c3b4cc59f7305a09b7994f06ce40a 100644 (file)
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -352,6 +352,17 @@ oauth2_jwt_header_process(struct json_tree *tree, const char **alg_r,
        return 0;
 }
 
+static bool check_scope(const char *req, const char *got)
+{
+       const char *const *scope_req = t_strsplit_spaces(req, " ,");
+       const char *const *scope_got = t_strsplit_spaces(got, " ,");
+
+       for (; *scope_req != NULL; scope_req++)
+               if (!str_array_icase_find(scope_got, *scope_req))
+                       return FALSE;
+       return TRUE;
+}
+
 static int
 oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
                        const char *kid, ARRAY_TYPE(oauth2_field) *fields,
@@ -437,6 +448,22 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
                }
        }
 
+       const char *got_scope = get_field(tree, "scope", NULL);
+       const char *req_scope = set->scope;
+
+       if (req_scope != NULL && *req_scope != '\0') {
+               if (got_scope == NULL) {
+                       *error_r = "scope set but not found in token";
+                       return -1;
+               }
+
+               if (!check_scope(req_scope, got_scope)) {
+                       *error_r = t_strdup_printf("configured scope '%s' missing from token scope '%s'",
+                                                  req_scope, got_scope);
+                       return -1;
+               }
+       }
+
        /* see if there is azp */
        const char *azp = get_field(tree, "azp", NULL);
        if (azp == NULL)
diff --git a/src/lib-oauth2/test-oauth2-jwt.c b/src/lib-oauth2/test-oauth2-jwt.c
index b0c5324344d98fa3a7ac9c85fa8db878bdc20f50..68a64ed114ec72fea71e90680f84d0a1183a44d2 100644 (file)
--- a/src/lib-oauth2/test-oauth2-jwt.c
+++ b/src/lib-oauth2/test-oauth2-jwt.c
@@ -83,7 +83,6 @@ static int parse_jwt_token(struct oauth2_request *req, const char *token,
        struct oauth2_settings set;
 
        i_zero(&set);
-       set.scope = "mail";
        set.key_dict = keys_dict;
        set.key_cache = key_cache;
        i_zero(req);
Mirror of https://github.com/dovecot/core.git