Print

---

@andreaceccanti commented on this pull request.

In src/XrdMacaroons/XrdMacaroonsHandler.cc:

>  // See if the macaroon handler is interested in this request.
 // We intercept all POST requests as we will be looking for a particular
 // header.
 bool
 Handler::MatchesPath(const char *verb, const char *path)
 {
-    return !strcmp(verb, "POST");
+    return !strcmp(verb, "POST") || !strncmp(path, "/.well-known/", 13) ||
+           !strncmp(path, "/.oauth2/", 9);
+}
+
+
+int Handler::ProcessOAuthConfig(XrdHttpExtReq &req) {
+    if (req.verb != "GET")
+    {
+        return req.SendSimpleResp(400, NULL, NULL, "Only GET is valid for oauth config.", 0);

405 method not supported would probably be more appropriate here?

In src/XrdMacaroons/XrdMacaroonsHandler.cc:

> +        return req.SendSimpleResp(500, NULL, NULL, "Unable to create a new JSON macaroon string.", 0);
+    }
+    json_object_object_add(response_obj, "token_endpoint", endpoint_obj);
+
+    const char *response_result = json_object_to_json_string_ext(response_obj, JSON_C_TO_STRING_PRETTY);
+    int retval = req.SendSimpleResp(200, NULL, NULL, response_result, 0);
+    json_object_put(response_obj);
+    return retval;
+}
+
+
+int Handler::ProcessTokenRequest(XrdHttpExtReq &req)
+{
+    if (req.verb != "POST")
+    {
+        return req.SendSimpleResp(400, NULL, NULL, "Only POST is valid for token request.", 0);

same as above, 405 probably more approriate?

In src/XrdMacaroons/XrdMacaroonsHandler.cc:

> +        if (eq == std::string::npos)
+        {
+            return req.SendSimpleResp(400, NULL, NULL, "Invalid format for form-encoding", 0);
+        }
+        std::string key = token.substr(0, eq);
+        std::string value = token.substr(eq + 1);
+        //std::cout << "Found key " << key << ", value " << value << std::endl;
+        if (key == "grant_type")
+        {
+            found_grant_type = true;
+            if (value != "client_credentials")
+            {
+                return req.SendSimpleResp(400, NULL, NULL, "Invalid grant type specified.", 0);
+            }
+        }
+        else if (key == "expire_in")

this "expire_in" grant parameter (which I guess is used to limit the access token lifetime) is something where we want to be aligned, or FTS will have to juggle. StoRM uses the 'lifetime' parameter. No problem to change on our side, but I suggest to have a profile document that defines these details somewhere and align implementations to such profile.

In src/XrdMacaroons/XrdMacaroonsHandler.cc:

> @@ -314,11 +505,17 @@ int Handler::ProcessReq(XrdHttpExtReq &req)
     {
         return req.SendSimpleResp(500, NULL, NULL, "Unable to create a new JSON macaroon string.", 0);
     }
-    json_object_object_add(response_obj, "macaroon", macaroon_obj);
+    json_object_object_add(response_obj, oauth_response ? "access_token" : "macaroon", macaroon_obj);
+
+    json_object *expire_in_obj = json_object_new_int64(validity);
+    if (!expire_in_obj)
+    {
+        return req.SendSimpleResp(500, NULL, NULL, "Unable to create a new JSON validity object.", 0);
+    }
+    json_object_object_add(response_obj, "expire_in", expire_in_obj);

this should be "expires_in" according to the OAuth standard

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1