Mercurial > hg > nginx
comparison src/mail/ngx_mail_imap_handler.c @ 9290:4538c1ffb0f8
Mail: added support for XOAUTH2 and OAUTHBEARER authentication.
This patch adds support for the OAUTHBEARER SASL mechanism as defined
by RFC 7628, as well as pre-RFC XOAUTH2 SASL mechanism. For both
mechanisms, the "Auth-User" header is set to the client identity
obtained from the initial SASL response sent by the client, and the
"Auth-Pass" header is set to the Bearer token itself.
The auth server may return the "Auth-Error-SASL" header, which is
passed to the client as an additional SASL challenge. It is expected
to contain mechanism-specific error details, base64-encoded. After
the client responds (with an empty SASL response for XAUTH2, or with
"AQ==" dummy response for OAUTHBEARER), the error message from the
"Auth-Status" header is sent.
Based on a patch by Rob Mueller.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 03 Jun 2024 18:03:11 +0300 |
| parents | 32d4582c484d |
| children |
comparison
equal
deleted
inserted
replaced
| 9289:20017bff0de8 | 9290:4538c1ffb0f8 |
|---|---|
| 218 break; | 218 break; |
| 219 | 219 |
| 220 case ngx_imap_auth_external: | 220 case ngx_imap_auth_external: |
| 221 rc = ngx_mail_auth_external(s, c, 0); | 221 rc = ngx_mail_auth_external(s, c, 0); |
| 222 break; | 222 break; |
| 223 | |
| 224 case ngx_imap_auth_xoauth2: | |
| 225 rc = ngx_mail_auth_xoauth2(s, c, 0); | |
| 226 break; | |
| 227 | |
| 228 case ngx_imap_auth_oauthbearer: | |
| 229 rc = ngx_mail_auth_oauthbearer(s, c, 0); | |
| 230 break; | |
| 223 } | 231 } |
| 224 | 232 |
| 225 } else if (rc == NGX_IMAP_NEXT) { | 233 } else if (rc == NGX_IMAP_NEXT) { |
| 226 tag = 0; | 234 tag = 0; |
| 227 ngx_str_set(&s->out, imap_next); | 235 ngx_str_set(&s->out, imap_next); |
| 430 | 438 |
| 431 ngx_str_set(&s->out, imap_username); | 439 ngx_str_set(&s->out, imap_username); |
| 432 s->mail_state = ngx_imap_auth_external; | 440 s->mail_state = ngx_imap_auth_external; |
| 433 | 441 |
| 434 return NGX_OK; | 442 return NGX_OK; |
| 443 | |
| 444 case NGX_MAIL_AUTH_XOAUTH2: | |
| 445 | |
| 446 if (!(iscf->auth_methods & NGX_MAIL_AUTH_XOAUTH2_ENABLED)) { | |
| 447 return NGX_MAIL_PARSE_INVALID_COMMAND; | |
| 448 } | |
| 449 | |
| 450 if (s->args.nelts == 2) { | |
| 451 s->mail_state = ngx_imap_auth_xoauth2; | |
| 452 return ngx_mail_auth_xoauth2(s, c, 1); | |
| 453 } | |
| 454 | |
| 455 ngx_str_set(&s->out, imap_plain_next); | |
| 456 s->mail_state = ngx_imap_auth_xoauth2; | |
| 457 | |
| 458 return NGX_OK; | |
| 459 | |
| 460 case NGX_MAIL_AUTH_OAUTHBEARER: | |
| 461 | |
| 462 if (!(iscf->auth_methods & NGX_MAIL_AUTH_OAUTHBEARER_ENABLED)) { | |
| 463 return NGX_MAIL_PARSE_INVALID_COMMAND; | |
| 464 } | |
| 465 | |
| 466 if (s->args.nelts == 2) { | |
| 467 s->mail_state = ngx_imap_auth_oauthbearer; | |
| 468 return ngx_mail_auth_oauthbearer(s, c, 1); | |
| 469 } | |
| 470 | |
| 471 ngx_str_set(&s->out, imap_plain_next); | |
| 472 s->mail_state = ngx_imap_auth_oauthbearer; | |
| 473 | |
| 474 return NGX_OK; | |
| 435 } | 475 } |
| 436 | 476 |
| 437 return rc; | 477 return rc; |
| 438 } | 478 } |
| 439 | 479 |