-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathpolicy
41 lines (39 loc) · 1.08 KB
/
policy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
oauth2.authorize {
# for non-oauth2 handled domains you will see and should ignore
# ERRROR: "Config item "realm[...].oauth2.discovery" does not exist"
if (&Realm && &User-Password && "%{config:realm[%{Realm}].oauth2.discovery}") {
oauth2_perl
if (updated && "%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) {
update control {
&Cache-Read-Only = yes
}
oauth2_cache
# outsource the authentication to PAP if we have valid cached credentials
if (ok && "%{request:OAuth2-Password-Last-Modified}" == "%{control:OAuth2-Password-Last-Modified}") {
update control {
Auth-Type -= "oauth2"
}
}
}
} else {
noop
}
}
oauth2.authenticate {
oauth2_perl
}
oauth2.post-auth {
if ("%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) {
if (&control:Auth-Type == "oauth2") {
update request {
&Tmp-String-0 = "%{randstr:32.}"
}
update control {
&Password-With-Header = "{ssha512}%{sha512:%{&User-Password}%{&Tmp-String-0}}%{hex:&Tmp-String-0}"
}
}
if (&control:OAuth2-Password-Last-Modified) {
oauth2_cache
}
}
}