oauth: RFC8628

Author: lws-team

include/libwebsockets/lws-auth-device-client.h

@@ -0,0 +1,45 @@
+/*
+ * libwebsockets - small server side websockets and web server implementation
+ *
+ * Copyright (C) 2010 - 2026 Andy Green <andy@warmcat.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ */
+
+#ifndef _PROTOCOL_LWS_AUTH_DEVICE_CLIENT_H
+#define _PROTOCOL_LWS_AUTH_DEVICE_CLIENT_H
+
+#define LWS_AUTH_DEVICE_CLIENT_ABI_VERSION 1
+
+struct lws_auth_device_client_ops {
+	uint32_t abi_version;
+
+	/* Called when authorization completes successfully to let the app proceed */
+	void (*auth_success)(struct lws_vhost *vh, const char *logical_name, const char *access_token);
+
+	/* Called to start / stop flashing an LED or similar "pairing indication" */
+	void (*pairing_indication)(struct lws_vhost *vh, const char *logical_name, int start);
+
+	/* Optional callback when code is retrieved */
+	void (*display_code)(struct lws_vhost *vh, const char *logical_name, const char *user_code);
+
+	/* Optional callback to get a human-readable name for the device */
+	const char *(*get_device_name)(struct lws_vhost *vh, const char *logical_name);
+};
+
+struct lws_auth_device_client_api {
+	uint32_t abi_version;
+
+	/* Start the auth flow against the given mixer URL for a specific logical device */
+	void (*start_auth_flow)(struct lws_vhost *vh, const char *mixer_url, const char *logical_name);
+};
+
+#endif

include/libwebsockets/lws-jwt-auth.h

@@ -69,6 +69,16 @@ lws_jwt_auth_query_grant(struct lws_jwt_auth *ja, const char *service_name);
 LWS_VISIBLE LWS_EXTERN const char *
 lws_jwt_auth_get_sub(struct lws_jwt_auth *ja);
 
+/**
+ * lws_jwt_auth_get_did() - get the device id associated with the jwt (if any)
+ *
+ * \param ja: the jwt auth object
+ *
+ * Returns the device ID ("did" claim) from the jwt, or NULL.
+ */
+LWS_VISIBLE LWS_EXTERN const char *
+lws_jwt_auth_get_did(struct lws_jwt_auth *ja);
+
 /**
  * lws_jwt_auth_get_uid() - Extract the native uid integer
  *

include/libwebsockets/lws-system.h

@@ -42,7 +42,7 @@ typedef enum {
 	LWS_SYSBLOB_TYPE_MQTT_USERNAME,
 	LWS_SYSBLOB_TYPE_MQTT_PASSWORD,
 
-#if defined(LWS_WITH_SECURE_STREAMS_AUTH_SIGV4)
+#if defined(LWS_WITH_SECURE_STREAMS_AUTH_SIGV4) || defined(LWS_WITH_JOSE)
 	/* extend 4 more auth blobs, each has 2 slots */
 	LWS_SYSBLOB_TYPE_EXT_AUTH1,
 	LWS_SYSBLOB_TYPE_EXT_AUTH2 = LWS_SYSBLOB_TYPE_EXT_AUTH1 + 2,

lib/core-net/client/connect.c

@@ -545,7 +545,7 @@ lws_client_connect_via_info(const struct lws_client_connect_info *i)
 
 #if defined(LWS_WITH_TLS)
 bail3:
-	lwsl_wsi_info(wsi, "tls start fail");
+	lwsl_wsi_err(wsi, "tls start fail");
 	lws_close_free_wsi(wsi, LWS_CLOSE_STATUS_NOSTATUS, "tls start fail");
 
 	if (i->pwsi)

lib/jose/jws/jwt-auth.c

@@ -31,6 +31,7 @@ struct lws_jwt_auth {
 	uint64_t exp;
 	char cookie_name[64];
 	char sub[128];
+	char did[128];
 	uint32_t uid;
 };
 
@@ -102,6 +103,7 @@ static const char * const auth_paths[] = {
 	"sub",
 	"email",
 	"uid",
+	"did",
 };
 
 enum {
@@ -112,6 +114,7 @@ enum {
 	JAP_SUB,
 	JAP_EMAIL,
 	JAP_UID,
+	JAP_DID,
 };
 
 static signed char
@@ -147,6 +150,8 @@ jwt_auth_lejp_cb(struct lejp_ctx *ctx, char reason)
 	} else if (reason == LEJPCB_VAL_STR_CHUNK || reason == LEJPCB_VAL_STR_END) {
 		if (ctx->path_match == JAP_SUB + 1 || ctx->path_match == JAP_EMAIL + 1) {
 			lws_strncpy(pctx->ja->sub, ctx->buf, sizeof(pctx->ja->sub));
+		} else if (ctx->path_match == JAP_DID + 1) {
+			lws_strncpy(pctx->ja->did, ctx->buf, sizeof(pctx->ja->did));
 		}
 	}
 
@@ -267,6 +272,14 @@ lws_jwt_auth_get_sub(struct lws_jwt_auth *ja)
 	return ja->sub;
 }
 
+const char *
+lws_jwt_auth_get_did(struct lws_jwt_auth *ja)
+{
+	if (!ja || !ja->did[0])
+		return NULL;
+	return ja->did;
+}
+
 uint32_t
 lws_jwt_auth_get_uid(struct lws_jwt_auth *ja)
 {

lib/roles/http/server/interceptor.c

@@ -269,10 +269,13 @@ lws_interceptor_check(struct lws *wsi, const struct lws_protocols *prot)
 
 	s = sizeof(buf);
 	if (lws_jwt_get_http_cookie_validate_jwt(wsi, &ck, buf, &s)) {
+		lwsl_notice("%s: JWT validation failed for cookie '%s'\n", __func__, vhd->cookie_name);
 		lws_interceptor_inject_header(wsi, vhd, NULL);
 		return vhd->always_pass ? 0 : 1;
 	}
 
+	lwsl_notice("%s: JWT validation passed for cookie '%s', payload: %.*s\n", __func__, vhd->cookie_name, (int)s, buf);
+
 	cp = lws_json_simple_find(buf, s, "\"sub\":", &claim_len);
 	if (!cp) {
 		lwsl_vhost_notice(vhd->vhost, "%s: sub claim missing in JWT", __func__);

lib/roles/ws/server-ws.c

@@ -397,13 +397,7 @@ lws_process_ws_upgrade2(struct lws *wsi)
 					    LWSIFR_SERVER | LWSIFR_P_ENCAP_H2,
 					    LRS_ESTABLISHED, &role_ops_ws);
 
-			/*
-			 * There should be no validity checking since we
-			 * are encapsulated in something else with its own
-			 * validity checking
-			 */
 
-			lws_sul_cancel(&wsi->sul_validity);
 		} else
 #endif
 		{

lwsws/main.c

@@ -173,7 +173,7 @@ context_creation(int argc, const char **argv)
 			info.gid = (unsigned int)atoi(p);
 
 		/* Root monitor makes outbound TLS probes but skips user vhosts, force global TLS init */
-		info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
+		info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | LWS_SERVER_OPTION_VH_SKIP_PRIV_DROP;
 	}
 
 	foreign_loops[0] = &loop;

minimal-examples-lowlevel/raw/minimal-raw-webrtc-camshow/minimal-raw-webrtc-camshow.c

@@ -16,6 +16,9 @@
 
 #include "../../../plugins/protocol_lws_rtc_camera/protocol_lws_rtc_camera.h"
 #include "../../../plugins/protocol_lws_webrtc/protocol_lws_webrtc.h"
+#include "../../../include/libwebsockets/lws-auth-device-client.h"
+
+static struct lws_auth_device_client_api *auth_api;
 
 enum {
 	LWS_SW_HEIGHT,
@@ -75,18 +78,13 @@ app_system_state_nf(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
                         return -1;
                 }
 
-                if (!devices_copy)
-                        devices_copy = strdup(devs_list);
-
-                char *p = devices_copy;
-                char *token;
-
-                while ((token = strsep(&p, ","))) {
-                        lwsl_notice("Attaching %s to WebRTC mixer\n", token);
-                        if (cam_ops->attach(vh, url, token, client_name, app_width, app_height))
-                                lwsl_err("Failed to queue attach for %s\n", token);
+                if (!auth_api || !auth_api->start_auth_flow) {
+                        lwsl_err("auth_api not populated by plugin\n");
+                        return -1;
                 }
 
+                auth_api->start_auth_flow(vh, url, "camshow");
+
                 break;
 	}
 	return 0;
@@ -118,6 +116,40 @@ set_clock(lws_usec_t us)
 	return 0;
 }
 
+static void start_app_attach(struct lws_vhost *vh, const char *logical_name, const char *access_token)
+{
+	char *devices_copy_local = strdup(devs_list);
+	char *p = devices_copy_local, *token;
+
+        while ((token = strsep(&p, ","))) {
+		lwsl_notice("Attaching %s to WebRTC mixer\n", token);
+		if (cam_ops->attach(vh, url, token, client_name, app_width, app_height, access_token))
+			lwsl_err("Failed to queue attach for %s\n", token);
+	}
+
+        free(devices_copy_local);
+}
+
+static void pairing_indication(struct lws_vhost *vh, const char *logical_name, int start)
+{
+	lwsl_notice("\n\n*** BLINK BLINK BLINK: Identify triggered by Admin for %s ***\n\n", logical_name);
+}
+
+static void display_code(struct lws_vhost *vh, const char *logical_name, const char *user_code)
+{
+	lwsl_notice("\n\n=======================================\n");
+	lwsl_notice("   PAIRING REQUIRED FOR %s\n", logical_name);
+	lwsl_notice("   User Code: %s\n", user_code);
+	lwsl_notice("=======================================\n\n");
+}
+
+static struct lws_auth_device_client_ops auth_ops = {
+	.abi_version = LWS_AUTH_DEVICE_CLIENT_ABI_VERSION,
+	.auth_success = start_app_attach,
+	.pairing_indication = pairing_indication,
+	.display_code = display_code,
+};
+
 static const lws_system_ops_t system_ops = {
 	.set_clock = set_clock,
 };
@@ -162,6 +194,11 @@ main(int argc, const char **argv)
 
 	info.system_ops = &system_ops;
 
+	static const struct lws_protocols protocols[] = {
+		{ NULL, NULL, 0, 0, 0, NULL, 0 }
+	};
+	info.protocols = protocols;
+
 	/* Wire up cert trust bundle so wss:// connections can verify the peer */
 	info.client_ssl_ca_filepath = "/etc/ssl/certs/ca-certificates.crt";
 
@@ -201,7 +238,13 @@ main(int argc, const char **argv)
 	static struct lws_protocol_vhost_options pvo_cam_status = { &pvo_ops, NULL, "status", "ok" };
 	static struct lws_protocol_vhost_options pvo = { &pvo_cam_v4l2, &pvo_cam_status, "lws-rtc-camera", "" };
 
-	vinfo.pvo = &pvo;
+	/* For lws-auth-device-client */
+	static struct lws_protocol_vhost_options pvo_auth_api = { NULL, NULL, "lws-auth-client-api", (void *)&auth_api };
+	static struct lws_protocol_vhost_options pvo_auth_ops = { &pvo_auth_api, NULL, "app-auth-ops", (void *)&auth_ops };
+	static struct lws_protocol_vhost_options pvo_auth_status = { &pvo_auth_ops, NULL, "status", "ok" };
+	static struct lws_protocol_vhost_options pvo_auth = { &pvo, &pvo_auth_status, "lws-auth-device-client", "" };
+
+	vinfo.pvo = &pvo_auth;
 
 	cx = lws_create_context(&info);
 	if (!cx) {

plugins/CMakeLists.txt

@@ -123,6 +123,7 @@ if ((LWS_WITH_PLUGINS AND LWS_WITH_SHARED) OR LWS_WITH_PLUGINS_BUILTIN)
 
 			source_group("Headers Private"   FILES ${PLUGIN_HDR})
 			source_group("Sources"   FILES ${PLUGIN_SRCS})
+			message("CREATING PLUGIN ${PLUGIN_NAME}")
 			add_library(${PLUGIN_NAME} SHARED ${PLUGIN_SRCS} ${PLUGIN_HDR})
 			target_link_libraries(${PLUGIN_NAME} websockets_shared)
 			add_dependencies(${PLUGIN_NAME} websockets_shared)