Mercurial > hg > nginx
comparison src/mail/ngx_mail_imap_module.c @ 9290:4538c1ffb0f8
Mail: added support for XOAUTH2 and OAUTHBEARER authentication.
This patch adds support for the OAUTHBEARER SASL mechanism as defined
by RFC 7628, as well as pre-RFC XOAUTH2 SASL mechanism. For both
mechanisms, the "Auth-User" header is set to the client identity
obtained from the initial SASL response sent by the client, and the
"Auth-Pass" header is set to the Bearer token itself.
The auth server may return the "Auth-Error-SASL" header, which is
passed to the client as an additional SASL challenge. It is expected
to contain mechanism-specific error details, base64-encoded. After
the client responds (with an empty SASL response for XAUTH2, or with
"AQ==" dummy response for OAUTHBEARER), the error message from the
"Auth-Status" header is sent.
Based on a patch by Rob Mueller.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 03 Jun 2024 18:03:11 +0300 |
parents | dc955d274130 |
children |
comparison
equal
deleted
inserted
replaced
9289:20017bff0de8 | 9290:4538c1ffb0f8 |
---|---|
28 static ngx_conf_bitmask_t ngx_mail_imap_auth_methods[] = { | 28 static ngx_conf_bitmask_t ngx_mail_imap_auth_methods[] = { |
29 { ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED }, | 29 { ngx_string("plain"), NGX_MAIL_AUTH_PLAIN_ENABLED }, |
30 { ngx_string("login"), NGX_MAIL_AUTH_LOGIN_ENABLED }, | 30 { ngx_string("login"), NGX_MAIL_AUTH_LOGIN_ENABLED }, |
31 { ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED }, | 31 { ngx_string("cram-md5"), NGX_MAIL_AUTH_CRAM_MD5_ENABLED }, |
32 { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED }, | 32 { ngx_string("external"), NGX_MAIL_AUTH_EXTERNAL_ENABLED }, |
33 { ngx_string("xoauth2"), NGX_MAIL_AUTH_XOAUTH2_ENABLED }, | |
34 { ngx_string("oauthbearer"), NGX_MAIL_AUTH_OAUTHBEARER_ENABLED }, | |
33 { ngx_null_string, 0 } | 35 { ngx_null_string, 0 } |
34 }; | 36 }; |
35 | 37 |
36 | 38 |
37 static ngx_str_t ngx_mail_imap_auth_methods_names[] = { | 39 static ngx_str_t ngx_mail_imap_auth_methods_names[] = { |
38 ngx_string("AUTH=PLAIN"), | 40 ngx_string("AUTH=PLAIN"), |
39 ngx_string("AUTH=LOGIN"), | 41 ngx_string("AUTH=LOGIN"), |
40 ngx_null_string, /* APOP */ | 42 ngx_null_string, /* APOP */ |
41 ngx_string("AUTH=CRAM-MD5"), | 43 ngx_string("AUTH=CRAM-MD5"), |
42 ngx_string("AUTH=EXTERNAL"), | 44 ngx_string("AUTH=EXTERNAL"), |
45 ngx_string("AUTH=XOAUTH2"), | |
46 ngx_string("AUTH=OAUTHBEARER"), | |
43 ngx_null_string /* NONE */ | 47 ngx_null_string /* NONE */ |
44 }; | 48 }; |
45 | 49 |
46 | 50 |
47 static ngx_mail_protocol_t ngx_mail_imap_protocol = { | 51 static ngx_mail_protocol_t ngx_mail_imap_protocol = { |
180 for (i = 0; i < conf->capabilities.nelts; i++) { | 184 for (i = 0; i < conf->capabilities.nelts; i++) { |
181 size += 1 + c[i].len; | 185 size += 1 + c[i].len; |
182 } | 186 } |
183 | 187 |
184 for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0; | 188 for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0; |
185 m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED; | 189 m < NGX_MAIL_AUTH_NONE_ENABLED; |
186 m <<= 1, i++) | 190 m <<= 1, i++) |
187 { | 191 { |
188 if (m & conf->auth_methods) { | 192 if (m & conf->auth_methods) { |
189 size += 1 + ngx_mail_imap_auth_methods_names[i].len; | 193 size += 1 + ngx_mail_imap_auth_methods_names[i].len; |
190 } | 194 } |
206 } | 210 } |
207 | 211 |
208 auth = p; | 212 auth = p; |
209 | 213 |
210 for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0; | 214 for (m = NGX_MAIL_AUTH_PLAIN_ENABLED, i = 0; |
211 m <= NGX_MAIL_AUTH_EXTERNAL_ENABLED; | 215 m < NGX_MAIL_AUTH_NONE_ENABLED; |
212 m <<= 1, i++) | 216 m <<= 1, i++) |
213 { | 217 { |
214 if (m & conf->auth_methods) { | 218 if (m & conf->auth_methods) { |
215 *p++ = ' '; | 219 *p++ = ' '; |
216 p = ngx_cpymem(p, ngx_mail_imap_auth_methods_names[i].data, | 220 p = ngx_cpymem(p, ngx_mail_imap_auth_methods_names[i].data, |