diff options
author | Jesse Morgan <jesse@jesterpm.net> | 2024-01-28 11:21:51 -0800 |
---|---|---|
committer | Jesse Morgan <jesse@jesterpm.net> | 2024-01-28 11:21:51 -0800 |
commit | 406c2eca191aed531dac74eaffafa70e956914b6 (patch) | |
tree | 8d7151a4696f64e0fe178346da82619932c4f4f1 | |
parent | 83e09afd06dec95f2ec46beb2fa28942bb8a4804 (diff) |
-rw-r--r-- | README.md | 23 | ||||
-rw-r--r-- | src/main.rs | 35 |
2 files changed, 41 insertions, 17 deletions
@@ -30,21 +30,18 @@ You'll need a web server that can run CGI scripts, then you'll want a script that runs chkoauth2 with the appropriate options. Something like: #!/bin/sh + OAUTH2_AUTHORIZATION_URL="https://example.com/authorize" \ + OAUTH2_INTROSPECTION_URL="https://example.com/introspect" \ OAUTH2_CLIENT_ID="<OAuth2 client id>" \ OAUTH2_CLIENT_SECRET="<OAuth2 client secret>" \ - chkoauth2 \ - https://example.com/oauth/authorize \ - https://example.com/oauth/introspect \ - --scope create \ - another.cgi - -The sample script uses environment variables to provide the OAuth2 client -identity for interacting with the introspection endpoint, which is hosted at -example.com. chkoauth2 expects your web server to provided the Authorization -header in the `HTTP_AUTHORIZATION` environment variable. If the header contains -a valid Bearer token, and the token grants the required scope(s) ("create", in -this case), then chkoauth2 will invoke `another.cgi`. Otherwise, an appropriate -error will be returned. + chkoauth2 --scope create another.cgi + +The sample script is using environment variables to provide the configuration +for the OAuth2 authorization server. chkoauth2 expects your web server to +provided the Authorization header in the `HTTP_AUTHORIZATION` environment +variable. If the header contains a valid Bearer token, and the token grants the +required scope(s) ("create", in this case), then chkoauth2 will invoke +`another.cgi`. Otherwise, an appropriate error will be returned. The full list of granted scopes is passed to the application through the `OAUTH2_SCOPES` environment variable, allowing the wrapped CGI to check for an diff --git a/src/main.rs b/src/main.rs index ec91ec1..f979e2e 100644 --- a/src/main.rs +++ b/src/main.rs @@ -34,15 +34,22 @@ struct Args { /// variable. #[arg(long = "secret")] client_secret: Option<String>, + /// Scopes that must be present for the request to succeed. #[arg(long = "scope")] scope: Vec<String>, /// The URL of the Authorization endpoint. - auth_url: Url, + /// This may also be provided through the OAUTH2_AUTHORIZATION_URL + /// environment variable. + #[arg(long = "authorization-url")] + auth_url: Option<Url>, /// The URL of the token introspection endpoint. - introspection_url: Url, + /// This may also be provided through the OAUTH2_INTROSPECTION_URL + /// environment variable. + #[arg(long = "introspection-url")] + introspection_url: Option<Url>, /// The command to run if authorized. command: String, @@ -81,13 +88,33 @@ fn handle_request() -> Result<Response<Option<String>>, Error> { .or_else(|| env::var("OAUTH2_CLIENT_SECRET").ok()) .map(ClientSecret::new); + let auth_url = args + .auth_url + .or_else(|| { + env::var("OAUTH2_AUTHORIZATION_URL") + .ok() + .and_then(|url| url.parse().ok()) + }) + .map(AuthUrl::from_url) + .expect("Missing required argument --authorization-url"); + + let introspection_url = args + .introspection_url + .or_else(|| { + env::var("OAUTH2_INTROSPECTION_URL") + .ok() + .and_then(|url| url.parse().ok()) + }) + .map(IntrospectionUrl::from_url) + .expect("Missing required argument --introspection-url"); + let client = Client::new( client_id, client_secret, - AuthUrl::from_url(args.auth_url), + auth_url, None, ) - .set_introspection_uri(IntrospectionUrl::from_url(args.introspection_url)); + .set_introspection_uri(introspection_url); let access_token = env::var("HTTP_AUTHORIZATION") .ok() |