diff options
-rw-r--r-- | doc/webid-oidc.texi | 30 | ||||
-rw-r--r-- | po/fr.po | 415 | ||||
-rw-r--r-- | po/webid-oidc.pot | 413 | ||||
-rw-r--r-- | src/scm/webid-oidc/client.scm | 3 | ||||
-rw-r--r-- | src/scm/webid-oidc/dpop-proof.scm | 34 | ||||
-rw-r--r-- | src/scm/webid-oidc/errors.scm | 39 | ||||
-rw-r--r-- | src/scm/webid-oidc/resource-server.scm | 10 | ||||
-rw-r--r-- | tests/Makefile.am | 3 | ||||
-rw-r--r-- | tests/dpop-proof-invalid-ath.scm | 73 | ||||
-rw-r--r-- | tests/dpop-proof-no-ath.scm | 59 | ||||
-rw-r--r-- | tests/dpop-proof-valid-ath.scm | 60 | ||||
-rw-r--r-- | tests/resource-server.scm | 3 |
12 files changed, 727 insertions, 415 deletions
diff --git a/doc/webid-oidc.texi b/doc/webid-oidc.texi index a6852a8..2ad0ca8 100644 --- a/doc/webid-oidc.texi +++ b/doc/webid-oidc.texi @@ -263,10 +263,11 @@ the proof is not checked by this function. @deffnx function dpop-proof-htm @var{proof} @deffnx function dpop-proof-htu @var{proof} @deffnx function dpop-proof-iat @var{proof} +@deffnx function dpop-proof-ath @var{proof} Get the corresponding field of the proof. @end deffn -@deffn function dpop-proof-decode @var{current-time} @var{jti-list} @var{method} @var{uri} @var{str} @var{cnf/check} +@deffn function dpop-proof-decode @var{current-time} @var{jti-list} @var{method} @var{uri} @var{str} @var{cnf/check} @var{[#:access-token]} Check and decode a DPoP proof encoded as @var{str}. The @var{current-time} is passed as a date, time or number (of @@ -279,10 +280,14 @@ is reached. See the @code{make-jti-list} function. The proof is limited to the scope of one @var{uri} and one @var{method} (@code{'GET}, @code{'POST} and so on). -Finally, the key that is used to sign the proof should be confirmed by -the identity provider. To this end, the @var{cnf/check} function is -called with the fingerprint of the key. The function should check that -the fingerprint is OK (return a boolean). +The key that is used to sign the proof should be confirmed by the +identity provider. To this end, the @var{cnf/check} function is called +with the fingerprint of the key. The function should check that the +fingerprint is OK (return a boolean). + +Finally, when the DPoP proof is tied to an access token (so, for all +uses except requesting an access token or a refresh token), it must be +bound to an @var{access-token}. @end deffn @deffn function make-jti-list @@ -296,11 +301,13 @@ Encode the proof and sign it with @var{key}. To generate valid proofs, field of the proof. @end deffn -@deffn function issue-dpop-proof @var{client-key} @var{#alg} @var{#htm} @var{#htu} @var{#iat} +@deffn function issue-dpop-proof @var{client-key} @var{#alg} @var{#htm} @var{#htu} @var{#iat} {[#:@var{access-token}=#f]} Create a proof, sign it and encode it with @var{client-key}. @var{client-key} should contain both the private and public key, because the public part is written in the proof and the -private part is used to sign it. +private part is used to sign it. For most uses, the DPoP proof should +be encoded for a specific access token. Only token requests should +omit the @samp{access-token} field. @end deffn @node Generic JWTs @@ -932,6 +939,10 @@ The @var{value} of the htm field in the DPoP proof is incorrect. The @var{value} of the htu field in the DPoP proof is incorrect. @end deftp +@deftp {exception type} &incorrect-ath-field @var{value} +The @var{value} of the ath field is not the hash of the access token. +@end deftp + @deftp {exception type} &incorrect-redirect-uris-field @var{value} The @var{value} of the redirect-uris field of a client manifest is incorrect. @@ -1180,6 +1191,11 @@ function was passed as @var{cnf/check}) the @var{cause} exception occurred while confirming. @end deftp +@deftp {exception type} &dpop-invalid-access-token-hash @var{hash} @var{access-token} +The @var{access-token} passed to the resource server does not match +the @var{hash} provided in the DPoP proof. +@end deftp + @deftp {exception type} &jti-found @var{jti} @var{cause} The @var{jti} of the proof has already been issued in a recent past. @end deftp @@ -2,8 +2,8 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc 0.0.0\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-07-08 00:38+0200\n" -"PO-Revision-Date: 2021-07-06 13:25+0200\n" +"POT-Creation-Date: 2021-07-22 11:08+0200\n" +"PO-Revision-Date: 2021-07-22 11:10+0200\n" "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n" "Language-Team: French <vivien@planete-kraus.eu>\n" "Language: fr\n" @@ -126,101 +126,101 @@ msgstr "Utilisation : generate-random [NOMBRE D'OCTETS]\n" msgid "Usage: generate-key [NUMBER OF BITS | CURVE]\n" msgstr "Utilisation : generate-key [NOMBRE DE BITS | COURBE]\n" -#: src/scm/webid-oidc/errors.scm:1064 +#: src/scm/webid-oidc/errors.scm:1090 msgid "that’s how it is" msgstr "c’est comme ça" -#: src/scm/webid-oidc/errors.scm:1069 +#: src/scm/webid-oidc/errors.scm:1095 #, scheme-format msgid "the value ~s is not a base64 string (because ~a)" msgstr "la valeur ~s n’est pas une chaîne base64 (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1072 +#: src/scm/webid-oidc/errors.scm:1098 #, scheme-format msgid "the value ~s is not JSON (because ~a)" msgstr "la valeur ~s n’est pas du JSON (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1075 +#: src/scm/webid-oidc/errors.scm:1101 #, scheme-format msgid "the value ~s is not Turtle (because ~a)" msgstr "la valeur ~s n’est pas du Turtle (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1078 +#: src/scm/webid-oidc/errors.scm:1104 #, scheme-format msgid "the value ~s does not identify an elleptic curve" msgstr "la valeur ~s n’identifie pas une courbe elliptique" -#: src/scm/webid-oidc/errors.scm:1083 +#: src/scm/webid-oidc/errors.scm:1109 #, scheme-format msgid "the value ~s does not identify a JWK (because ~a)" msgstr "la valeur ~s n’identifie pas une JWK (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1085 +#: src/scm/webid-oidc/errors.scm:1111 #, scheme-format msgid "the value ~s does not identify a JWK" msgstr "la valeur ~s n’identifie pas une JWK" -#: src/scm/webid-oidc/errors.scm:1090 +#: src/scm/webid-oidc/errors.scm:1116 #, scheme-format msgid "the value ~s does not identify a public JWK (because ~a)" msgstr "la valeur ~s n’identifie pas une JWK publique (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1092 +#: src/scm/webid-oidc/errors.scm:1118 #, scheme-format msgid "the value ~s does not identify a public JWK" msgstr "la valeur ~s n’identifie pas une JWK publique" -#: src/scm/webid-oidc/errors.scm:1097 +#: src/scm/webid-oidc/errors.scm:1123 #, scheme-format msgid "the value ~s does not identify a private JWK (because ~a)" msgstr "la valeur ~s n’identifie pas une JWK privée (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1099 +#: src/scm/webid-oidc/errors.scm:1125 #, scheme-format msgid "the value ~s does not identify a private JWK" msgstr "la valeur ~s n’identifie pas une JWK privée" -#: src/scm/webid-oidc/errors.scm:1104 +#: src/scm/webid-oidc/errors.scm:1130 #, scheme-format msgid "the value ~s does not identify a JWKS (because ~a)" msgstr "la valeur ~s n’identifie pas un JWKS (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1106 +#: src/scm/webid-oidc/errors.scm:1132 #, scheme-format msgid "the value ~s does not identify a JWKS" msgstr "la valeur ~s n’identifie pas un JWKS" -#: src/scm/webid-oidc/errors.scm:1109 +#: src/scm/webid-oidc/errors.scm:1135 #, scheme-format msgid "the value ~s does not identify a hash algorithm" msgstr "la valeur ~s n’identifie pas un algorithme de hachage" -#: src/scm/webid-oidc/errors.scm:1112 +#: src/scm/webid-oidc/errors.scm:1138 #, scheme-format msgid "the value ~s is not an alist or misses key ~s" msgstr "la valeur ~s n’est pas une alist ou il manque la clé ~s" -#: src/scm/webid-oidc/errors.scm:1115 +#: src/scm/webid-oidc/errors.scm:1141 #, scheme-format msgid "the value ~s is not a JWS header (because ~a)" msgstr "la valeur ~s n’est pas un header JWS (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1118 +#: src/scm/webid-oidc/errors.scm:1144 #, scheme-format msgid "the value ~s is not a JWS payload (because ~a)" msgstr "la valeur ~s n’est pas un contenu JWS (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1121 +#: src/scm/webid-oidc/errors.scm:1147 #, scheme-format msgid "the value ~s is not a JWS (because ~a)" msgstr "la valeur ~s n’est pas un JWS (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1124 +#: src/scm/webid-oidc/errors.scm:1150 #, scheme-format msgid "the string ~s cannot be split in 3 parts with ~s" msgstr "la chaîne ~s ne peut pas être découpée en 3 parties avec ~s" -#: src/scm/webid-oidc/errors.scm:1127 +#: src/scm/webid-oidc/errors.scm:1153 #, scheme-format msgid "" "all key candidates failed to verify signature ~s with algorithm ~s and " @@ -229,17 +229,17 @@ msgstr "" "aucune clé candidate n’a pu vérifier la signature ~s avec l’algorithme ~s et " "le contenu ~a (il y en avait ~a : ~s)" -#: src/scm/webid-oidc/errors.scm:1130 +#: src/scm/webid-oidc/errors.scm:1156 #, scheme-format msgid "I cannot decode JWS ~a (because ~a)" msgstr "je n’ai pas pu décoder le JWS encodé par ~a (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1133 +#: src/scm/webid-oidc/errors.scm:1159 #, scheme-format msgid "I cannot encode JWS ~a (because ~a)" msgstr "je n’ai pas pu encoder le JWS ~a (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1136 +#: src/scm/webid-oidc/errors.scm:1162 #, scheme-format msgid "" "the server request unexpectedly failed with code ~a and reason phrase ~s" @@ -247,338 +247,357 @@ msgstr "" "la requête au serveur a échoué de façon inattendue avec un code ~a et une " "raison ~s" -#: src/scm/webid-oidc/errors.scm:1141 +#: src/scm/webid-oidc/errors.scm:1167 #, scheme-format msgid "the header ~a should not have the value ~s" msgstr "l’en-tête ~a ne devrait pas avoir la valeur ~s" -#: src/scm/webid-oidc/errors.scm:1143 +#: src/scm/webid-oidc/errors.scm:1169 #, scheme-format msgid "the header ~a should be present" msgstr "l’en-tête ~a devrait être présent" -#: src/scm/webid-oidc/errors.scm:1146 +#: src/scm/webid-oidc/errors.scm:1172 #, scheme-format msgid "the server response wasn't expected: ~s (because ~a)" msgstr "la réponse du serveur est inattendue : ~s (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1152 +#: src/scm/webid-oidc/errors.scm:1178 #, scheme-format msgid "the value ~s is not an OIDC configuration (because ~a)" msgstr "la valeur ~s n’est pas une configuration OIDC (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1157 +#: src/scm/webid-oidc/errors.scm:1183 #, scheme-format msgid "the webid field is incorrect: ~s" msgstr "le champ webid est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1158 +#: src/scm/webid-oidc/errors.scm:1184 msgid "the webid field is missing" msgstr "le champ webid est manquant" -#: src/scm/webid-oidc/errors.scm:1162 +#: src/scm/webid-oidc/errors.scm:1188 #, scheme-format msgid "the sub field is incorrect: ~s" msgstr "le champ sub est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1163 +#: src/scm/webid-oidc/errors.scm:1189 msgid "the sub field is missing" msgstr "le champ sub est manquant" -#: src/scm/webid-oidc/errors.scm:1167 +#: src/scm/webid-oidc/errors.scm:1193 #, scheme-format msgid "the iss field is incorrect: ~s" msgstr "le champ iss est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1168 +#: src/scm/webid-oidc/errors.scm:1194 msgid "the iss field is missing" msgstr "le champ iss est manquant" -#: src/scm/webid-oidc/errors.scm:1172 +#: src/scm/webid-oidc/errors.scm:1198 #, scheme-format msgid "the aud field is incorrect: ~s" msgstr "le champ aud est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1173 +#: src/scm/webid-oidc/errors.scm:1199 msgid "the aud field is missing" msgstr "le champ aud est manquant" -#: src/scm/webid-oidc/errors.scm:1177 +#: src/scm/webid-oidc/errors.scm:1203 #, scheme-format msgid "the iat field is incorrect: ~s" msgstr "le champ iat est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1178 +#: src/scm/webid-oidc/errors.scm:1204 msgid "the iat field is missing" msgstr "le champ iat est manquant" -#: src/scm/webid-oidc/errors.scm:1182 +#: src/scm/webid-oidc/errors.scm:1208 #, scheme-format msgid "the exp field is incorrect: ~s" msgstr "le champ exp est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1183 +#: src/scm/webid-oidc/errors.scm:1209 msgid "the exp field is missing" msgstr "le champ exp est manquant" -#: src/scm/webid-oidc/errors.scm:1187 +#: src/scm/webid-oidc/errors.scm:1213 #, scheme-format msgid "the cnf/jkt field is incorrect: ~s" msgstr "le champ cnf/jkt est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1188 +#: src/scm/webid-oidc/errors.scm:1214 msgid "the cnf/jkt field is missing" msgstr "le champ cnf/jkt est manquant" -#: src/scm/webid-oidc/errors.scm:1192 +#: src/scm/webid-oidc/errors.scm:1218 #, scheme-format msgid "the client-id field is incorrect: ~s" msgstr "le champ client-id est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1193 +#: src/scm/webid-oidc/errors.scm:1219 msgid "the client-id field is missing" msgstr "le champ client-id est manquant" -#: src/scm/webid-oidc/errors.scm:1197 +#: src/scm/webid-oidc/errors.scm:1223 #: src/scm/webid-oidc/authorization-page-unsafe.scm:149 #, scheme-format msgid "the redirect_uris field is incorrect: ~s" msgstr "le champ redirect_uris est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1198 +#: src/scm/webid-oidc/errors.scm:1224 #: src/scm/webid-oidc/authorization-page-unsafe.scm:150 msgid "the redirect_uris field is missing" msgstr "le champ redirect_uris est manquant" -#: src/scm/webid-oidc/errors.scm:1202 +#: src/scm/webid-oidc/errors.scm:1228 #, scheme-format msgid "the typ field is incorrect: ~s" msgstr "le champ typ est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1203 +#: src/scm/webid-oidc/errors.scm:1229 msgid "the typ field is missing" msgstr "le champ typ est manquant" -#: src/scm/webid-oidc/errors.scm:1207 +#: src/scm/webid-oidc/errors.scm:1233 #, scheme-format msgid "the jwk field is incorrect: ~s (because ~a)" msgstr "le champ jwk est incorrect : ~s (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1209 +#: src/scm/webid-oidc/errors.scm:1235 msgid "the jwk field is missing" msgstr "le champ jwk est manquant" -#: src/scm/webid-oidc/errors.scm:1213 +#: src/scm/webid-oidc/errors.scm:1239 #, scheme-format msgid "the jti field is incorrect: ~s" msgstr "le champ jti est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1214 +#: src/scm/webid-oidc/errors.scm:1240 msgid "the jti field is missing" msgstr "le champ jti est manquant" -#: src/scm/webid-oidc/errors.scm:1218 +#: src/scm/webid-oidc/errors.scm:1244 #, scheme-format msgid "the nonce field is incorrect: ~s" msgstr "le champ nonce est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1219 +#: src/scm/webid-oidc/errors.scm:1245 msgid "the nonce field is missing" msgstr "le champ nonce est manquant" -#: src/scm/webid-oidc/errors.scm:1223 +#: src/scm/webid-oidc/errors.scm:1249 #, scheme-format msgid "the htm field is incorrect: ~s" msgstr "le champ htm est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1224 +#: src/scm/webid-oidc/errors.scm:1250 msgid "the htm field is missing" msgstr "le champ htm est manquant" -#: src/scm/webid-oidc/errors.scm:1228 +#: src/scm/webid-oidc/errors.scm:1254 #, scheme-format msgid "the htu field is incorrect: ~s" msgstr "le champ htu est incorrect : ~s" -#: src/scm/webid-oidc/errors.scm:1229 +#: src/scm/webid-oidc/errors.scm:1255 msgid "the htu field is missing" msgstr "le champ htu est manquant" -#: src/scm/webid-oidc/errors.scm:1231 +#: src/scm/webid-oidc/errors.scm:1259 +#, scheme-format +msgid "the ath field is incorrect: ~s" +msgstr "le champ ath est incorrect : ~s" + +#: src/scm/webid-oidc/errors.scm:1260 +msgid "the ath field is missing" +msgstr "le champ ath est manquant" + +#: src/scm/webid-oidc/errors.scm:1262 #, scheme-format msgid "~s is not an access token (because ~a)" msgstr "~s n’est pas un jeton d’accès (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1234 +#: src/scm/webid-oidc/errors.scm:1265 #, scheme-format msgid "~s is not an access token header (because ~a)" msgstr "~s n’est pas un en-tête de jeton d’accès (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1237 +#: src/scm/webid-oidc/errors.scm:1268 #, scheme-format msgid "~s is not an access token payload (because ~a)" msgstr "~s n’est pas un contenu de jeton d’accès (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1240 +#: src/scm/webid-oidc/errors.scm:1271 #, scheme-format msgid "~s is not a DPoP proof (because ~a)" msgstr "~s n’est pas une preuve DPoP (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1243 +#: src/scm/webid-oidc/errors.scm:1274 #, scheme-format msgid "~s is not a DPoP proof header (because ~a)" msgstr "~s n’est pas un en-tête de preuve DPoP (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1246 +#: src/scm/webid-oidc/errors.scm:1277 #, scheme-format msgid "~s is not a DPoP proof payload (because ~a)" msgstr "~s n’est pas un contenu de preuve DPoP (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1249 +#: src/scm/webid-oidc/errors.scm:1280 #, scheme-format msgid "I cannot fetch the issuer configuration of ~a (because ~a)" msgstr "" "je n’ai pas pu récupérer la configuration de l’émetteur ~a (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1256 +#: src/scm/webid-oidc/errors.scm:1287 #, scheme-format msgid "I cannot fetch the JWKS of ~a at ~a (because ~a)" msgstr "je n’ai pas pu récupérer le JWKS de ~a à ~a (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1267 +#: src/scm/webid-oidc/errors.scm:1298 #, scheme-format msgid "the HTTP method is signed for ~s, but ~s was requested" msgstr "la méthode HTTP a été signée pour ~s, mais ~s a été demandé" -#: src/scm/webid-oidc/errors.scm:1270 +#: src/scm/webid-oidc/errors.scm:1301 #, scheme-format msgid "the HTTP uri is signed for ~a, but ~a was requested" msgstr "l’uri HTTP a été signé pour ~a, mais ~a a été demandé" -#: src/scm/webid-oidc/errors.scm:1273 +#: src/scm/webid-oidc/errors.scm:1304 #, scheme-format msgid "the date is ~a, but the DPoP proof is signed in the future at ~a" msgstr "la date est ~a, mais la preuve DPoP a été signée dans le futur à ~a" -#: src/scm/webid-oidc/errors.scm:1277 +#: src/scm/webid-oidc/errors.scm:1308 #, scheme-format msgid "the date is ~a, but the DPoP proof was signed too long ago at ~a" msgstr "" "la date est ~a, mais la preuve DPoP a été signée il y a trop longtemps à ~a" -#: src/scm/webid-oidc/errors.scm:1286 +#: src/scm/webid-oidc/errors.scm:1317 #, scheme-format msgid "the key ~s does not hash to ~a" msgstr "la clé ~s ne donne pas un hash de ~a" -#: src/scm/webid-oidc/errors.scm:1288 +#: src/scm/webid-oidc/errors.scm:1319 #, scheme-format msgid "the key confirmation of ~s failed (because ~a)" msgstr "la confirmation de clé de ~s a échoué (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1290 +#: src/scm/webid-oidc/errors.scm:1321 #, scheme-format msgid "the key confirmation of ~s failed" msgstr "la confirmation de la clé ~s a échoué" -#: src/scm/webid-oidc/errors.scm:1292 +#: src/scm/webid-oidc/errors.scm:1326 +#, scheme-format +msgid "the DPoP proof is bound to an access token with hash ~s, not ~s" +msgstr "la preuve DPoP est liée à un jeton d’accès haché en ~s, pas ~s" + +#: src/scm/webid-oidc/errors.scm:1328 +#, scheme-format +msgid "the DPoP proof should be bound to the access token ~s" +msgstr "la preuve DPoP doit être liée au jeton d’accès ~s" + +#: src/scm/webid-oidc/errors.scm:1331 #, scheme-format msgid "the jti ~s has already been found (because ~a)" msgstr "le jti ~s a déjà été trouvé (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1295 +#: src/scm/webid-oidc/errors.scm:1334 #, scheme-format msgid "I cannot decode ~s as an access token (because ~a)" msgstr "je n’ai pas pu décoder ~s comme jeton d’accès (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1298 +#: src/scm/webid-oidc/errors.scm:1337 #, scheme-format msgid "I cannot encode ~s as an access token with key ~s (because ~a)" msgstr "" "je n’ai pas pu encoder ~s comme un jeton d’accès avec la clé ~s (parce que " "~a)" -#: src/scm/webid-oidc/errors.scm:1301 +#: src/scm/webid-oidc/errors.scm:1340 #, scheme-format msgid "I cannot decode ~s as a DPoP proof (because ~a)" msgstr "je n’ai pas pu décoder ~s comme preuve DPoP (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1304 +#: src/scm/webid-oidc/errors.scm:1343 #, scheme-format msgid "I cannot encode ~s as a DPoP proof (because ~a)" msgstr "je n’ai pas pu encoder ~s comme une preuve DPoP (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1307 +#: src/scm/webid-oidc/errors.scm:1346 #, scheme-format msgid "I could not fetch a RDF graph at ~a (because ~a)" msgstr "je n’ai pas pu récupérer de graphe RDF à ~a (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1310 +#: src/scm/webid-oidc/errors.scm:1349 #, scheme-format msgid "~s is not a client manifest (because ~a)" msgstr "~s n’est pas un manifeste client (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1313 +#: src/scm/webid-oidc/errors.scm:1352 #, scheme-format msgid "~s does not authorize redirection URI ~a" msgstr "~s n’autorise pas l’URI de redirection ~a" -#: src/scm/webid-oidc/errors.scm:1316 +#: src/scm/webid-oidc/errors.scm:1355 msgid "I cannot serve a public manifest" msgstr "je ne peux pas servir un manifeste public" -#: src/scm/webid-oidc/errors.scm:1318 +#: src/scm/webid-oidc/errors.scm:1357 #, scheme-format msgid "~a does not have a client manifest registration triple" msgstr "~a n’a pas de triplet d’enregistrement de manifeste client" -#: src/scm/webid-oidc/errors.scm:1321 +#: src/scm/webid-oidc/errors.scm:1360 #, scheme-format msgid "the client manifest at ~a is advertised for ~a" msgstr "le manifeste client ~a est publié pour ~a" -#: src/scm/webid-oidc/errors.scm:1324 +#: src/scm/webid-oidc/errors.scm:1363 #, scheme-format msgid "I could not fetch the client manifest of ~a (because ~a)" msgstr "je n’ai pas pu récupérer le manifeste client de ~a (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1327 +#: src/scm/webid-oidc/errors.scm:1366 #, scheme-format msgid "~s is not an authorization code (because ~a)" msgstr "~s n’est pas un code d’autorisation (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1330 +#: src/scm/webid-oidc/errors.scm:1369 #, scheme-format msgid "~s is not an authorization code header (because ~a)" msgstr "~s n’est pas un en-tête de code d’autorisation (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1333 +#: src/scm/webid-oidc/errors.scm:1372 #, scheme-format msgid "~s is not an authorization code payload (because ~a)" msgstr "~s n’est pas un contenu de code d’autorisation (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1336 +#: src/scm/webid-oidc/errors.scm:1375 #, scheme-format msgid "the current time is ~a, and the authorization code expired at ~a" msgstr "" "la date est actuellement ~a, et le code d’autorisation a expiré à la date ~a" -#: src/scm/webid-oidc/errors.scm:1340 +#: src/scm/webid-oidc/errors.scm:1379 #, scheme-format msgid "I cannot decode ~s as an authorization code (because ~a)" msgstr "je n’ai pas pu décoder ~s comme un code d’autorisation (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1343 +#: src/scm/webid-oidc/errors.scm:1382 #, scheme-format msgid "I cannot encode ~s as an authorization code (because ~a)" msgstr "je n’ai pas pu encoder ~s comme un code d’autorisation (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1346 +#: src/scm/webid-oidc/errors.scm:1385 #, scheme-format msgid "there is no such refresh token as ~s" msgstr "il n’y a pas de jeton de rafraîchissement ~s" -#: src/scm/webid-oidc/errors.scm:1349 +#: src/scm/webid-oidc/errors.scm:1388 #, scheme-format msgid "" "the refresh token is bound to a key confirmed as ~s, but it is used with key " @@ -587,45 +606,45 @@ msgstr "" "Le jeton de rafraîchissement est lié à une clé confirmée par ~s, mais il est " "utilisé avec la clé ~s" -#: src/scm/webid-oidc/errors.scm:1352 +#: src/scm/webid-oidc/errors.scm:1391 #, scheme-format msgid "I cannot decode ~s as an ID token (because ~a)" msgstr "je n’ai pas pu décoder ~s comme jeton d’identité (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1355 +#: src/scm/webid-oidc/errors.scm:1394 #, scheme-format msgid "I cannot encode ~s as an ID token (because ~a)" msgstr "je n’ai pas pu encoder ~s comme un jeton d’identité (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1358 +#: src/scm/webid-oidc/errors.scm:1397 #, scheme-format msgid "the grant type ~s is not supported" msgstr "le type d’octroi ~s n’est pas supporté " -#: src/scm/webid-oidc/errors.scm:1361 +#: src/scm/webid-oidc/errors.scm:1400 msgid "there is no authorization code in the request" msgstr "il n’y a pas de code d’autorisation dans la requête" -#: src/scm/webid-oidc/errors.scm:1363 +#: src/scm/webid-oidc/errors.scm:1402 msgid "there is no refresh token in the request" msgstr "il n’y a pas de jeton de rafraîchissement dans la requête" -#: src/scm/webid-oidc/errors.scm:1365 +#: src/scm/webid-oidc/errors.scm:1404 #, scheme-format msgid "~s is not an ID token (because ~a)" msgstr "~s n’est pas un jeton d’identité (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1368 +#: src/scm/webid-oidc/errors.scm:1407 #, scheme-format msgid "~s is not an ID token header (because ~a)" msgstr "~s n’est pas un en-tête de jeton d’identité (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1371 +#: src/scm/webid-oidc/errors.scm:1410 #, scheme-format msgid "~s is not an ID token payload (because ~a)" msgstr "~s n’est pas un contenu de jeton d’identité (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1374 +#: src/scm/webid-oidc/errors.scm:1413 #, scheme-format msgid "" "I couldn’t set the locale to ~s as an approximation of the client locale ~s" @@ -633,12 +652,12 @@ msgstr "" "je n’ai pas pu définir la locale à ~s comme approximation de la locale du " "client ~s" -#: src/scm/webid-oidc/errors.scm:1377 +#: src/scm/webid-oidc/errors.scm:1416 #, scheme-format msgid "~s does not admit ~s as an identity provider" msgstr "~s n’admet pas ~s comme fournisseur d’identité" -#: src/scm/webid-oidc/errors.scm:1380 +#: src/scm/webid-oidc/errors.scm:1419 #, scheme-format msgid "" "~a is neither an identity provider (because ~a) nor a webid (because ~a)" @@ -646,76 +665,76 @@ msgstr "" "~a n’est ni un fournisseur d’identité (parce que ~a) ni un webid (parce que " "~a)" -#: src/scm/webid-oidc/errors.scm:1385 +#: src/scm/webid-oidc/errors.scm:1424 #, scheme-format msgid "the token request failed (because ~a)" msgstr "la requête de jeton a échoué (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1388 +#: src/scm/webid-oidc/errors.scm:1427 #, scheme-format msgid "you don’t have a refresh token for identity ~a certified by ~a in ~s" msgstr "" "vous n’avez pas de jeton de rafraîchissement pour l’identité ~a certifié par " "~a dans ~s" -#: src/scm/webid-oidc/errors.scm:1393 +#: src/scm/webid-oidc/errors.scm:1432 #, scheme-format msgid "all identity provider candidates for ~a failed: ~a" msgstr "tous les candidats de fournisseurs d’identité pour ~a ont échoué : ~a" -#: src/scm/webid-oidc/errors.scm:1397 +#: src/scm/webid-oidc/errors.scm:1436 #, scheme-format msgid "~s failed (because ~a)" msgstr "~s a échoué (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1400 +#: src/scm/webid-oidc/errors.scm:1439 msgid ", " msgstr ", " -#: src/scm/webid-oidc/errors.scm:1402 +#: src/scm/webid-oidc/errors.scm:1441 #, scheme-format msgid "no resource has been found to serve URI path ~s" msgstr "aucune ressource n’a été trouvée pour servir le chemin d’URI ~s" -#: src/scm/webid-oidc/errors.scm:1405 +#: src/scm/webid-oidc/errors.scm:1444 #, scheme-format msgid "the resource kind ~s is absent for the resource at ~s" msgstr "le type de ressource ~s est absent pour la ressource ~s" -#: src/scm/webid-oidc/errors.scm:1408 +#: src/scm/webid-oidc/errors.scm:1447 #, scheme-format msgid "no resource has been found to serve URI path ~s, but ~s exists" msgstr "" "aucune ressource n’a été trouvée pour servir le chemin d’URI ~s, mais ~s " "existe" -#: src/scm/webid-oidc/errors.scm:1411 +#: src/scm/webid-oidc/errors.scm:1450 msgid "the root storage cannot be deleted" msgstr "le stockage racine ne peut pas être détruit" -#: src/scm/webid-oidc/errors.scm:1413 +#: src/scm/webid-oidc/errors.scm:1452 #, scheme-format msgid "the container ~s should be emptied before being deleted" msgstr "le conteneur ~s doit être vidé avant d’être détruit" -#: src/scm/webid-oidc/errors.scm:1416 +#: src/scm/webid-oidc/errors.scm:1455 #, scheme-format msgid "the group ~s cannot be fetched (because ~a)" msgstr "le groupe ~s n’a pas pu être récupéré (parce que ~a)" -#: src/scm/webid-oidc/errors.scm:1420 +#: src/scm/webid-oidc/errors.scm:1459 #, scheme-format msgid "the containment triples in the request to update ~s are not up to date" msgstr "" "les triplets de contention dans la requête pour changer ~s ne sont pas à jour" -#: src/scm/webid-oidc/errors.scm:1423 +#: src/scm/webid-oidc/errors.scm:1462 #, scheme-format msgid "the server cannot process resources with the ~s content-type" msgstr "" "le serveur ne peut pas traiter des ressources avec le type de contenu ~s" -#: src/scm/webid-oidc/errors.scm:1426 +#: src/scm/webid-oidc/errors.scm:1465 #, scheme-format msgid "" "the client wants to create a resource at ~s, which is reserved for an " @@ -724,7 +743,7 @@ msgstr "" "le client veut créer une ressource en tant que ~s, qui est réservé pour une " "ressource auxiliare" -#: src/scm/webid-oidc/errors.scm:1429 +#: src/scm/webid-oidc/errors.scm:1468 #, scheme-format msgid "" "the operation on ~s by ~a is refused, because it’s not by ~s and the access " @@ -733,11 +752,11 @@ msgstr "" "l’opération sur ~s par ~a est refusée, parce que ce n’est pas ~s et le " "contrôle d’accès refuse le mode d’opération suivant : ~s" -#: src/scm/webid-oidc/errors.scm:1433 +#: src/scm/webid-oidc/errors.scm:1472 msgid "an anonymous user" msgstr "un utilisateur anonyme" -#: src/scm/webid-oidc/errors.scm:1438 +#: src/scm/webid-oidc/errors.scm:1477 #, scheme-format msgid "" "the client precondition failed for ~s: it allows for ~s, forbids ~s, but the " @@ -746,7 +765,7 @@ msgstr "" "la précondition du client a échoué pour ~s : elle autorise ~s, interdit ~s, " "mais la ressource a une représentation ~s" -#: src/scm/webid-oidc/errors.scm:1440 +#: src/scm/webid-oidc/errors.scm:1479 #, scheme-format msgid "" "the client precondition failed for ~s: it allows for ~s, forbids ~s, but the " @@ -755,7 +774,7 @@ msgstr "" "la précondition du client a échoué pour ~s : elle autorise ~s, interdit ~s, " "mais la ressource n’a pas de représentation" -#: src/scm/webid-oidc/errors.scm:1443 +#: src/scm/webid-oidc/errors.scm:1482 #, scheme-format msgid "" "the client wanted a response with a content type among ~s, but the resource " @@ -765,77 +784,77 @@ msgstr "" "ressource ~s a un type de contenu ~s qui ne peut pas être converti vers l’un " "d’eux" -#: src/scm/webid-oidc/errors.scm:1450 +#: src/scm/webid-oidc/errors.scm:1489 msgid "that’s it" msgstr "c’est tout" -#: src/scm/webid-oidc/errors.scm:1454 +#: src/scm/webid-oidc/errors.scm:1493 #, scheme-format msgid "~a and ~a" msgstr "~a et ~a" -#: src/scm/webid-oidc/errors.scm:1457 +#: src/scm/webid-oidc/errors.scm:1496 #, scheme-format msgid "~a, ~a" msgstr "~a, ~a" -#: src/scm/webid-oidc/errors.scm:1461 +#: src/scm/webid-oidc/errors.scm:1500 #, scheme-format msgid "the signature ~a does not match key ~s with payload ~a" msgstr "la signature ~a ne correspond pas à la clé ~s avec le contenu ~a" -#: src/scm/webid-oidc/errors.scm:1464 +#: src/scm/webid-oidc/errors.scm:1503 #, scheme-format msgid "the request failed unexpectedly with code ~a: ~s" msgstr "" "la requête au serveur a échoué de façon inattendue avec un code ~a : ~s" -#: src/scm/webid-oidc/errors.scm:1468 +#: src/scm/webid-oidc/errors.scm:1507 msgid "there is an undefined variable" msgstr "il y a une variable non définie" -#: src/scm/webid-oidc/errors.scm:1470 +#: src/scm/webid-oidc/errors.scm:1509 #, scheme-format msgid "the origin is ~a" msgstr "l’origine est ~a" -#: src/scm/webid-oidc/errors.scm:1473 +#: src/scm/webid-oidc/errors.scm:1512 #, scheme-format msgid "a message is attached: ~a" msgstr "un message est attaché : ~a" -#: src/scm/webid-oidc/errors.scm:1476 +#: src/scm/webid-oidc/errors.scm:1515 #, scheme-format msgid "the values ~s are problematic" msgstr "les valeurs ~s sont problématiques" -#: src/scm/webid-oidc/errors.scm:1479 +#: src/scm/webid-oidc/errors.scm:1518 #, scheme-format msgid "there is a kind (~s) and args ~s" msgstr "il y a un type (~s) et des arguments ~s" -#: src/scm/webid-oidc/errors.scm:1482 +#: src/scm/webid-oidc/errors.scm:1521 msgid "there is an assertion failure" msgstr "il y a un échec d’assertion" -#: src/scm/webid-oidc/errors.scm:1484 +#: src/scm/webid-oidc/errors.scm:1523 #, scheme-format msgid "the program quits with code ~a" msgstr "le programme quitte avec le code ~a" -#: src/scm/webid-oidc/errors.scm:1487 +#: src/scm/webid-oidc/errors.scm:1526 msgid "the program cannot recover from this exception" msgstr "le programme ne peut pas récupérer après cette exception" -#: src/scm/webid-oidc/errors.scm:1489 +#: src/scm/webid-oidc/errors.scm:1528 msgid "there is an external error" msgstr "il y a une erreur externe" -#: src/scm/webid-oidc/errors.scm:1491 +#: src/scm/webid-oidc/errors.scm:1530 msgid "there is an error" msgstr "il y a une erreur" -#: src/scm/webid-oidc/errors.scm:1493 +#: src/scm/webid-oidc/errors.scm:1532 #, scheme-format msgid "Unhandled exception type ~a." msgstr "Type d’exception non pris en charge ~a." @@ -993,15 +1012,15 @@ msgid "Warning: ~a\n" msgstr "Avertissement : ~a\n" #: src/scm/webid-oidc/hello-world.scm:48 src/scm/webid-oidc/example-app.scm:116 -#: src/scm/webid-oidc/program.scm:226 +#: src/scm/webid-oidc/program.scm:204 msgid "command-line|version" msgstr "version" -#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:228 +#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:206 msgid "command-line|complete-corresponding-source" msgstr "code-source-correspondant-complet" -#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:230 +#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:208 msgid "command-line|help" msgstr "aide" @@ -1009,11 +1028,11 @@ msgstr "aide" msgid "command-line|port" msgstr "port" -#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:260 +#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:238 msgid "command-line|log-file" msgstr "fichier-journal" -#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:262 +#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:240 msgid "command-line|error-file" msgstr "fichier-erreur" @@ -1072,12 +1091,12 @@ msgstr "" " redirige la sortie d’erreur du programme vers ce fichier.\n" #: src/scm/webid-oidc/hello-world.scm:103 -#: src/scm/webid-oidc/example-app.scm:159 src/scm/webid-oidc/program.scm:516 +#: src/scm/webid-oidc/example-app.scm:159 src/scm/webid-oidc/program.scm:494 #, scheme-format msgid "~a version ~a\n" msgstr "~a version ~a\n" -#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:524 +#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:502 msgid "" "You are legally required to link to the complete corresponding source code.\n" msgstr "" @@ -1239,12 +1258,12 @@ msgstr "" msgid "There was an error: ~a\n" msgstr "Il y a eu une erreur : ~a\n" -#: src/scm/webid-oidc/program.scm:122 +#: src/scm/webid-oidc/program.scm:98 #, scheme-format msgid "~a: ~a: Internal server error: ~a\n" msgstr "~a : ~a : Erreur interne du serveur : ~a\n" -#: src/scm/webid-oidc/program.scm:136 +#: src/scm/webid-oidc/program.scm:112 #, scheme-format msgid "" "The client locale ~s can’t be approximated by system locale ~s (because ~a), " @@ -1253,83 +1272,83 @@ msgstr "" "La locale du client ~s ne peut pas être approchée par la locale système ~s " "(parce que ~a), on utilise C.\n" -#: src/scm/webid-oidc/program.scm:160 +#: src/scm/webid-oidc/program.scm:136 #, scheme-format msgid "~a: ~s ~a ~s ~a\n" msgstr "~a : ~s ~a ~s ~a\n" -#: src/scm/webid-oidc/program.scm:162 +#: src/scm/webid-oidc/program.scm:138 #, scheme-format msgid "~a: ~a (~a)" msgstr "~a : ~a (~a)" -#: src/scm/webid-oidc/program.scm:166 +#: src/scm/webid-oidc/program.scm:142 #, scheme-format msgid "~a: ~a" msgstr "~a : ~a" -#: src/scm/webid-oidc/program.scm:176 +#: src/scm/webid-oidc/program.scm:152 #, scheme-format msgid "(there was an error: ~a)" msgstr "(il y a eu une erreur : ~a)" -#: src/scm/webid-oidc/program.scm:232 +#: src/scm/webid-oidc/program.scm:210 msgid "command-line|server|port" msgstr "port" -#: src/scm/webid-oidc/program.scm:234 +#: src/scm/webid-oidc/program.scm:212 msgid "command-line|server|server-name" msgstr "nom-du-serveur" -#: src/scm/webid-oidc/program.scm:236 +#: src/scm/webid-oidc/program.scm:214 msgid "command-line|server|reverse-proxy|backend-uri" msgstr "uri-arrière-plan" -#: src/scm/webid-oidc/program.scm:238 +#: src/scm/webid-oidc/program.scm:216 msgid "command-line|server|reverse-proxy|header" msgstr "en-tête" -#: src/scm/webid-oidc/program.scm:240 +#: src/scm/webid-oidc/program.scm:218 msgid "command-line|server|issuer|key-file" msgstr "fichier-clé" -#: src/scm/webid-oidc/program.scm:242 +#: src/scm/webid-oidc/program.scm:220 msgid "command-line|server|issuer|subject" msgstr "sujet" -#: src/scm/webid-oidc/program.scm:244 +#: src/scm/webid-oidc/program.scm:222 msgid "command-line|server|issuer|encrypted-password" msgstr "mot-de-passe-chiffré" -#: src/scm/webid-oidc/program.scm:246 +#: src/scm/webid-oidc/program.scm:224 msgid "command-line|server|issuer|jwks-uri" msgstr "uri-jwks" -#: src/scm/webid-oidc/program.scm:248 +#: src/scm/webid-oidc/program.scm:226 msgid "command-line|server|issuer|authorization-endpoint-uri" msgstr "uri-terminal-autorisation" -#: src/scm/webid-oidc/program.scm:250 +#: src/scm/webid-oidc/program.scm:228 msgid "command-line|server|issuer|token-endpoint-uri" msgstr "uri-terminal-jeton" -#: src/scm/webid-oidc/program.scm:252 +#: src/scm/webid-oidc/program.scm:230 msgid "command-line|server|client-id" msgstr "id-client" -#: src/scm/webid-oidc/program.scm:254 +#: src/scm/webid-oidc/program.scm:232 msgid "command-line|server|redirect-uri" msgstr "uri-redirection" -#: src/scm/webid-oidc/program.scm:256 +#: src/scm/webid-oidc/program.scm:234 msgid "command-line|server|client-name" msgstr "nom-client" -#: src/scm/webid-oidc/program.scm:258 +#: src/scm/webid-oidc/program.scm:236 msgid "command-line|server|client-uri" msgstr "uri-client" -#: src/scm/webid-oidc/program.scm:287 +#: src/scm/webid-oidc/program.scm:265 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" @@ -1641,57 +1660,57 @@ msgstr "" "Si vous trouvez une erreur dans le programme, envoyez-en un rapport à\n" "~a.\n" -#: src/scm/webid-oidc/program.scm:437 src/scm/webid-oidc/program.scm:495 -#: src/scm/webid-oidc/program.scm:597 +#: src/scm/webid-oidc/program.scm:415 src/scm/webid-oidc/program.scm:473 +#: src/scm/webid-oidc/program.scm:575 msgid "command-line|command|reverse-proxy" msgstr "proxy-inversé" -#: src/scm/webid-oidc/program.scm:438 src/scm/webid-oidc/program.scm:502 -#: src/scm/webid-oidc/program.scm:621 +#: src/scm/webid-oidc/program.scm:416 src/scm/webid-oidc/program.scm:480 +#: src/scm/webid-oidc/program.scm:597 msgid "command-line|command|identity-provider" msgstr "fournisseur-identité" -#: src/scm/webid-oidc/program.scm:439 src/scm/webid-oidc/program.scm:509 -#: src/scm/webid-oidc/program.scm:667 +#: src/scm/webid-oidc/program.scm:417 src/scm/webid-oidc/program.scm:487 +#: src/scm/webid-oidc/program.scm:641 msgid "command-line|command|client-service" msgstr "service-client" -#: src/scm/webid-oidc/program.scm:440 src/scm/webid-oidc/program.scm:696 +#: src/scm/webid-oidc/program.scm:418 src/scm/webid-oidc/program.scm:670 msgid "command-line|command|server" msgstr "serveur" -#: src/scm/webid-oidc/program.scm:476 src/scm/webid-oidc/program.scm:480 -#: src/scm/webid-oidc/program.scm:484 src/scm/webid-oidc/program.scm:488 +#: src/scm/webid-oidc/program.scm:454 src/scm/webid-oidc/program.scm:458 +#: src/scm/webid-oidc/program.scm:462 src/scm/webid-oidc/program.scm:466 #, scheme-format msgid "an environment variable| It is currently set to ~s." msgstr " Elle vaut actuellement ~s." -#: src/scm/webid-oidc/program.scm:478 src/scm/webid-oidc/program.scm:482 -#: src/scm/webid-oidc/program.scm:486 src/scm/webid-oidc/program.scm:490 +#: src/scm/webid-oidc/program.scm:456 src/scm/webid-oidc/program.scm:460 +#: src/scm/webid-oidc/program.scm:464 src/scm/webid-oidc/program.scm:468 msgid "an environment variable| It is currently unset." msgstr " Elle n’est actuellement pas définie." -#: src/scm/webid-oidc/program.scm:531 +#: src/scm/webid-oidc/program.scm:509 #, scheme-format msgid "The --~a argument must be a number, not ~s.\n" msgstr "L’argument de --~a doit être un nombre, pas ~s.\n" -#: src/scm/webid-oidc/program.scm:537 +#: src/scm/webid-oidc/program.scm:515 #, scheme-format msgid "The --~a argument must be an integer, not ~s.\n" msgstr "L’argument de --~a doit être un entier, pas ~s.\n" -#: src/scm/webid-oidc/program.scm:543 +#: src/scm/webid-oidc/program.scm:521 #, scheme-format msgid "The --~a argument must be positive, ~s is invalid.\n" msgstr "L’argument de --~a doit être positif, ~s est invalide.\n" -#: src/scm/webid-oidc/program.scm:548 +#: src/scm/webid-oidc/program.scm:526 #, scheme-format msgid "The --~a argument must be less than 65536, ~s is invalid.\n" msgstr "L’argument de --~a doit être inférieur à 65536, ~s est invalide.\n" -#: src/scm/webid-oidc/program.scm:590 +#: src/scm/webid-oidc/program.scm:568 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" @@ -1700,18 +1719,18 @@ msgstr "" "Utilisation : ~a COMMANDE [OPTIONS]...\n" "Voir --~a (-h).\n" -#: src/scm/webid-oidc/program.scm:600 src/scm/webid-oidc/program.scm:624 -#: src/scm/webid-oidc/program.scm:698 +#: src/scm/webid-oidc/program.scm:578 src/scm/webid-oidc/program.scm:600 +#: src/scm/webid-oidc/program.scm:672 #, scheme-format msgid "You must pass --~a to set the server name.\n" msgstr "Vous devez passer --~a pour définir le nom du serveur.\n" -#: src/scm/webid-oidc/program.scm:604 +#: src/scm/webid-oidc/program.scm:582 #, scheme-format msgid "You must pass --~a to set the backend URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du service d’arrière-plan.\n" -#: src/scm/webid-oidc/program.scm:628 src/scm/webid-oidc/program.scm:702 +#: src/scm/webid-oidc/program.scm:604 src/scm/webid-oidc/program.scm:676 #, scheme-format msgid "" "You must pass --~a to set the file where to store the identity provider " @@ -1720,59 +1739,59 @@ msgstr "" "Vous devez passer --~a pour définir le nom du fichier pour sauvegarder\n" "la clé du fournisseur d’identité.\n" -#: src/scm/webid-oidc/program.scm:632 src/scm/webid-oidc/program.scm:706 +#: src/scm/webid-oidc/program.scm:608 src/scm/webid-oidc/program.scm:680 #, scheme-format msgid "You must pass --~a to set the subject of the identity provider.\n" msgstr "" "Vous devez passer --~a pour définir le sujet du fournisseur d’identité.\n" -#: src/scm/webid-oidc/program.scm:636 src/scm/webid-oidc/program.scm:710 +#: src/scm/webid-oidc/program.scm:612 src/scm/webid-oidc/program.scm:684 #, scheme-format msgid "You must pass --~a to set the subject’s encrypted password.\n" msgstr "" "Vous devez passer --~a pour définir le mot de passe chiffré du sujet.\n" -#: src/scm/webid-oidc/program.scm:640 src/scm/webid-oidc/program.scm:714 +#: src/scm/webid-oidc/program.scm:616 src/scm/webid-oidc/program.scm:688 #, scheme-format msgid "You must pass --~a to set the JWKS URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du JWKS.\n" -#: src/scm/webid-oidc/program.scm:644 src/scm/webid-oidc/program.scm:718 +#: src/scm/webid-oidc/program.scm:620 src/scm/webid-oidc/program.scm:692 #, scheme-format msgid "You must pass --~a to set the authorization endpoint URI.\n" msgstr "" "Vous devez passer --~a pour définir l'URI du terminal d'autorisation.\n" -#: src/scm/webid-oidc/program.scm:648 src/scm/webid-oidc/program.scm:722 +#: src/scm/webid-oidc/program.scm:624 src/scm/webid-oidc/program.scm:696 #, scheme-format msgid "You must pass --~a to set the token endpoint URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du terminal de jeton.\n" -#: src/scm/webid-oidc/program.scm:670 +#: src/scm/webid-oidc/program.scm:644 #, scheme-format msgid "You must pass --~a to set the application web ID.\n" msgstr "" "Vous devez passer --~a pour définir l'identifiant web de l’application.\n" -#: src/scm/webid-oidc/program.scm:674 +#: src/scm/webid-oidc/program.scm:648 #, scheme-format msgid "You must pass --~a to set the redirection URI.\n" msgstr "Vous devez passer --~a pour définir l'URI de redirection.\n" -#: src/scm/webid-oidc/program.scm:678 +#: src/scm/webid-oidc/program.scm:652 #, scheme-format msgid "You must pass --~a to set the informative client name.\n" msgstr "" "Vous devez passer --~a pour donner un nom pour l’application à titre " "informatif.\n" -#: src/scm/webid-oidc/program.scm:682 +#: src/scm/webid-oidc/program.scm:656 #, scheme-format msgid "You must pass --~a to set the informative client URI.\n" msgstr "" "Vous devez passer --~a pour définir l'URI du client, à titre informatif.\n" -#: src/scm/webid-oidc/program.scm:773 +#: src/scm/webid-oidc/program.scm:743 #, scheme-format msgid "Unknown command ~s\n" msgstr "Commande inconnue ~s\n" diff --git a/po/webid-oidc.pot b/po/webid-oidc.pot index ad294e9..5651551 100644 --- a/po/webid-oidc.pot +++ b/po/webid-oidc.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc SNAPSHOT\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-07-08 00:38+0200\n" +"POT-Creation-Date: 2021-07-22 11:08+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -122,683 +122,702 @@ msgstr "" msgid "Usage: generate-key [NUMBER OF BITS | CURVE]\n" msgstr "" -#: src/scm/webid-oidc/errors.scm:1064 +#: src/scm/webid-oidc/errors.scm:1090 msgid "that’s how it is" msgstr "" -#: src/scm/webid-oidc/errors.scm:1069 +#: src/scm/webid-oidc/errors.scm:1095 #, scheme-format msgid "the value ~s is not a base64 string (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1072 +#: src/scm/webid-oidc/errors.scm:1098 #, scheme-format msgid "the value ~s is not JSON (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1075 +#: src/scm/webid-oidc/errors.scm:1101 #, scheme-format msgid "the value ~s is not Turtle (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1078 +#: src/scm/webid-oidc/errors.scm:1104 #, scheme-format msgid "the value ~s does not identify an elleptic curve" msgstr "" -#: src/scm/webid-oidc/errors.scm:1083 +#: src/scm/webid-oidc/errors.scm:1109 #, scheme-format msgid "the value ~s does not identify a JWK (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1085 +#: src/scm/webid-oidc/errors.scm:1111 #, scheme-format msgid "the value ~s does not identify a JWK" msgstr "" -#: src/scm/webid-oidc/errors.scm:1090 +#: src/scm/webid-oidc/errors.scm:1116 #, scheme-format msgid "the value ~s does not identify a public JWK (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1092 +#: src/scm/webid-oidc/errors.scm:1118 #, scheme-format msgid "the value ~s does not identify a public JWK" msgstr "" -#: src/scm/webid-oidc/errors.scm:1097 +#: src/scm/webid-oidc/errors.scm:1123 #, scheme-format msgid "the value ~s does not identify a private JWK (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1099 +#: src/scm/webid-oidc/errors.scm:1125 #, scheme-format msgid "the value ~s does not identify a private JWK" msgstr "" -#: src/scm/webid-oidc/errors.scm:1104 +#: src/scm/webid-oidc/errors.scm:1130 #, scheme-format msgid "the value ~s does not identify a JWKS (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1106 +#: src/scm/webid-oidc/errors.scm:1132 #, scheme-format msgid "the value ~s does not identify a JWKS" msgstr "" -#: src/scm/webid-oidc/errors.scm:1109 +#: src/scm/webid-oidc/errors.scm:1135 #, scheme-format msgid "the value ~s does not identify a hash algorithm" msgstr "" -#: src/scm/webid-oidc/errors.scm:1112 +#: src/scm/webid-oidc/errors.scm:1138 #, scheme-format msgid "the value ~s is not an alist or misses key ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1115 +#: src/scm/webid-oidc/errors.scm:1141 #, scheme-format msgid "the value ~s is not a JWS header (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1118 +#: src/scm/webid-oidc/errors.scm:1144 #, scheme-format msgid "the value ~s is not a JWS payload (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1121 +#: src/scm/webid-oidc/errors.scm:1147 #, scheme-format msgid "the value ~s is not a JWS (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1124 +#: src/scm/webid-oidc/errors.scm:1150 #, scheme-format msgid "the string ~s cannot be split in 3 parts with ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1127 +#: src/scm/webid-oidc/errors.scm:1153 #, scheme-format msgid "" "all key candidates failed to verify signature ~s with algorithm ~s and " "payload ~a (there were ~a: ~s)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1130 +#: src/scm/webid-oidc/errors.scm:1156 #, scheme-format msgid "I cannot decode JWS ~a (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1133 +#: src/scm/webid-oidc/errors.scm:1159 #, scheme-format msgid "I cannot encode JWS ~a (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1136 +#: src/scm/webid-oidc/errors.scm:1162 #, scheme-format msgid "" "the server request unexpectedly failed with code ~a and reason phrase ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1141 +#: src/scm/webid-oidc/errors.scm:1167 #, scheme-format msgid "the header ~a should not have the value ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1143 +#: src/scm/webid-oidc/errors.scm:1169 #, scheme-format msgid "the header ~a should be present" msgstr "" -#: src/scm/webid-oidc/errors.scm:1146 +#: src/scm/webid-oidc/errors.scm:1172 #, scheme-format msgid "the server response wasn't expected: ~s (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1152 +#: src/scm/webid-oidc/errors.scm:1178 #, scheme-format msgid "the value ~s is not an OIDC configuration (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1157 +#: src/scm/webid-oidc/errors.scm:1183 #, scheme-format msgid "the webid field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1158 +#: src/scm/webid-oidc/errors.scm:1184 msgid "the webid field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1162 +#: src/scm/webid-oidc/errors.scm:1188 #, scheme-format msgid "the sub field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1163 +#: src/scm/webid-oidc/errors.scm:1189 msgid "the sub field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1167 +#: src/scm/webid-oidc/errors.scm:1193 #, scheme-format msgid "the iss field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1168 +#: src/scm/webid-oidc/errors.scm:1194 msgid "the iss field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1172 +#: src/scm/webid-oidc/errors.scm:1198 #, scheme-format msgid "the aud field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1173 +#: src/scm/webid-oidc/errors.scm:1199 msgid "the aud field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1177 +#: src/scm/webid-oidc/errors.scm:1203 #, scheme-format msgid "the iat field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1178 +#: src/scm/webid-oidc/errors.scm:1204 msgid "the iat field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1182 +#: src/scm/webid-oidc/errors.scm:1208 #, scheme-format msgid "the exp field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1183 +#: src/scm/webid-oidc/errors.scm:1209 msgid "the exp field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1187 +#: src/scm/webid-oidc/errors.scm:1213 #, scheme-format msgid "the cnf/jkt field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1188 +#: src/scm/webid-oidc/errors.scm:1214 msgid "the cnf/jkt field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1192 +#: src/scm/webid-oidc/errors.scm:1218 #, scheme-format msgid "the client-id field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1193 +#: src/scm/webid-oidc/errors.scm:1219 msgid "the client-id field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1197 +#: src/scm/webid-oidc/errors.scm:1223 #: src/scm/webid-oidc/authorization-page-unsafe.scm:149 #, scheme-format msgid "the redirect_uris field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1198 +#: src/scm/webid-oidc/errors.scm:1224 #: src/scm/webid-oidc/authorization-page-unsafe.scm:150 msgid "the redirect_uris field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1202 +#: src/scm/webid-oidc/errors.scm:1228 #, scheme-format msgid "the typ field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1203 +#: src/scm/webid-oidc/errors.scm:1229 msgid "the typ field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1207 +#: src/scm/webid-oidc/errors.scm:1233 #, scheme-format msgid "the jwk field is incorrect: ~s (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1209 +#: src/scm/webid-oidc/errors.scm:1235 msgid "the jwk field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1213 +#: src/scm/webid-oidc/errors.scm:1239 #, scheme-format msgid "the jti field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1214 +#: src/scm/webid-oidc/errors.scm:1240 msgid "the jti field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1218 +#: src/scm/webid-oidc/errors.scm:1244 #, scheme-format msgid "the nonce field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1219 +#: src/scm/webid-oidc/errors.scm:1245 msgid "the nonce field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1223 +#: src/scm/webid-oidc/errors.scm:1249 #, scheme-format msgid "the htm field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1224 +#: src/scm/webid-oidc/errors.scm:1250 msgid "the htm field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1228 +#: src/scm/webid-oidc/errors.scm:1254 #, scheme-format msgid "the htu field is incorrect: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1229 +#: src/scm/webid-oidc/errors.scm:1255 msgid "the htu field is missing" msgstr "" -#: src/scm/webid-oidc/errors.scm:1231 +#: src/scm/webid-oidc/errors.scm:1259 +#, scheme-format +msgid "the ath field is incorrect: ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1260 +msgid "the ath field is missing" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1262 #, scheme-format msgid "~s is not an access token (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1234 +#: src/scm/webid-oidc/errors.scm:1265 #, scheme-format msgid "~s is not an access token header (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1237 +#: src/scm/webid-oidc/errors.scm:1268 #, scheme-format msgid "~s is not an access token payload (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1240 +#: src/scm/webid-oidc/errors.scm:1271 #, scheme-format msgid "~s is not a DPoP proof (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1243 +#: src/scm/webid-oidc/errors.scm:1274 #, scheme-format msgid "~s is not a DPoP proof header (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1246 +#: src/scm/webid-oidc/errors.scm:1277 #, scheme-format msgid "~s is not a DPoP proof payload (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1249 +#: src/scm/webid-oidc/errors.scm:1280 #, scheme-format msgid "I cannot fetch the issuer configuration of ~a (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1256 +#: src/scm/webid-oidc/errors.scm:1287 #, scheme-format msgid "I cannot fetch the JWKS of ~a at ~a (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1267 +#: src/scm/webid-oidc/errors.scm:1298 #, scheme-format msgid "the HTTP method is signed for ~s, but ~s was requested" msgstr "" -#: src/scm/webid-oidc/errors.scm:1270 +#: src/scm/webid-oidc/errors.scm:1301 #, scheme-format msgid "the HTTP uri is signed for ~a, but ~a was requested" msgstr "" -#: src/scm/webid-oidc/errors.scm:1273 +#: src/scm/webid-oidc/errors.scm:1304 #, scheme-format msgid "the date is ~a, but the DPoP proof is signed in the future at ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1277 +#: src/scm/webid-oidc/errors.scm:1308 #, scheme-format msgid "the date is ~a, but the DPoP proof was signed too long ago at ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1286 +#: src/scm/webid-oidc/errors.scm:1317 #, scheme-format msgid "the key ~s does not hash to ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1288 +#: src/scm/webid-oidc/errors.scm:1319 #, scheme-format msgid "the key confirmation of ~s failed (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1290 +#: src/scm/webid-oidc/errors.scm:1321 #, scheme-format msgid "the key confirmation of ~s failed" msgstr "" -#: src/scm/webid-oidc/errors.scm:1292 +#: src/scm/webid-oidc/errors.scm:1326 +#, scheme-format +msgid "the DPoP proof is bound to an access token with hash ~s, not ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1328 +#, scheme-format +msgid "the DPoP proof should be bound to the access token ~s" +msgstr "" + +#: src/scm/webid-oidc/errors.scm:1331 #, scheme-format msgid "the jti ~s has already been found (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1295 +#: src/scm/webid-oidc/errors.scm:1334 #, scheme-format msgid "I cannot decode ~s as an access token (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1298 +#: src/scm/webid-oidc/errors.scm:1337 #, scheme-format msgid "I cannot encode ~s as an access token with key ~s (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1301 +#: src/scm/webid-oidc/errors.scm:1340 #, scheme-format msgid "I cannot decode ~s as a DPoP proof (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1304 +#: src/scm/webid-oidc/errors.scm:1343 #, scheme-format msgid "I cannot encode ~s as a DPoP proof (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1307 +#: src/scm/webid-oidc/errors.scm:1346 #, scheme-format msgid "I could not fetch a RDF graph at ~a (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1310 +#: src/scm/webid-oidc/errors.scm:1349 #, scheme-format msgid "~s is not a client manifest (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1313 +#: src/scm/webid-oidc/errors.scm:1352 #, scheme-format msgid "~s does not authorize redirection URI ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1316 +#: src/scm/webid-oidc/errors.scm:1355 msgid "I cannot serve a public manifest" msgstr "" -#: src/scm/webid-oidc/errors.scm:1318 +#: src/scm/webid-oidc/errors.scm:1357 #, scheme-format msgid "~a does not have a client manifest registration triple" msgstr "" -#: src/scm/webid-oidc/errors.scm:1321 +#: src/scm/webid-oidc/errors.scm:1360 #, scheme-format msgid "the client manifest at ~a is advertised for ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1324 +#: src/scm/webid-oidc/errors.scm:1363 #, scheme-format msgid "I could not fetch the client manifest of ~a (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1327 +#: src/scm/webid-oidc/errors.scm:1366 #, scheme-format msgid "~s is not an authorization code (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1330 +#: src/scm/webid-oidc/errors.scm:1369 #, scheme-format msgid "~s is not an authorization code header (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1333 +#: src/scm/webid-oidc/errors.scm:1372 #, scheme-format msgid "~s is not an authorization code payload (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1336 +#: src/scm/webid-oidc/errors.scm:1375 #, scheme-format msgid "the current time is ~a, and the authorization code expired at ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1340 +#: src/scm/webid-oidc/errors.scm:1379 #, scheme-format msgid "I cannot decode ~s as an authorization code (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1343 +#: src/scm/webid-oidc/errors.scm:1382 #, scheme-format msgid "I cannot encode ~s as an authorization code (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1346 +#: src/scm/webid-oidc/errors.scm:1385 #, scheme-format msgid "there is no such refresh token as ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1349 +#: src/scm/webid-oidc/errors.scm:1388 #, scheme-format msgid "" "the refresh token is bound to a key confirmed as ~s, but it is used with key " "~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1352 +#: src/scm/webid-oidc/errors.scm:1391 #, scheme-format msgid "I cannot decode ~s as an ID token (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1355 +#: src/scm/webid-oidc/errors.scm:1394 #, scheme-format msgid "I cannot encode ~s as an ID token (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1358 +#: src/scm/webid-oidc/errors.scm:1397 #, scheme-format msgid "the grant type ~s is not supported" msgstr "" -#: src/scm/webid-oidc/errors.scm:1361 +#: src/scm/webid-oidc/errors.scm:1400 msgid "there is no authorization code in the request" msgstr "" -#: src/scm/webid-oidc/errors.scm:1363 +#: src/scm/webid-oidc/errors.scm:1402 msgid "there is no refresh token in the request" msgstr "" -#: src/scm/webid-oidc/errors.scm:1365 +#: src/scm/webid-oidc/errors.scm:1404 #, scheme-format msgid "~s is not an ID token (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1368 +#: src/scm/webid-oidc/errors.scm:1407 #, scheme-format msgid "~s is not an ID token header (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1371 +#: src/scm/webid-oidc/errors.scm:1410 #, scheme-format msgid "~s is not an ID token payload (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1374 +#: src/scm/webid-oidc/errors.scm:1413 #, scheme-format msgid "" "I couldn’t set the locale to ~s as an approximation of the client locale ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1377 +#: src/scm/webid-oidc/errors.scm:1416 #, scheme-format msgid "~s does not admit ~s as an identity provider" msgstr "" -#: src/scm/webid-oidc/errors.scm:1380 +#: src/scm/webid-oidc/errors.scm:1419 #, scheme-format msgid "" "~a is neither an identity provider (because ~a) nor a webid (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1385 +#: src/scm/webid-oidc/errors.scm:1424 #, scheme-format msgid "the token request failed (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1388 +#: src/scm/webid-oidc/errors.scm:1427 #, scheme-format msgid "you don’t have a refresh token for identity ~a certified by ~a in ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1393 +#: src/scm/webid-oidc/errors.scm:1432 #, scheme-format msgid "all identity provider candidates for ~a failed: ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1397 +#: src/scm/webid-oidc/errors.scm:1436 #, scheme-format msgid "~s failed (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1400 +#: src/scm/webid-oidc/errors.scm:1439 msgid ", " msgstr "" -#: src/scm/webid-oidc/errors.scm:1402 +#: src/scm/webid-oidc/errors.scm:1441 #, scheme-format msgid "no resource has been found to serve URI path ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1405 +#: src/scm/webid-oidc/errors.scm:1444 #, scheme-format msgid "the resource kind ~s is absent for the resource at ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1408 +#: src/scm/webid-oidc/errors.scm:1447 #, scheme-format msgid "no resource has been found to serve URI path ~s, but ~s exists" msgstr "" -#: src/scm/webid-oidc/errors.scm:1411 +#: src/scm/webid-oidc/errors.scm:1450 msgid "the root storage cannot be deleted" msgstr "" -#: src/scm/webid-oidc/errors.scm:1413 +#: src/scm/webid-oidc/errors.scm:1452 #, scheme-format msgid "the container ~s should be emptied before being deleted" msgstr "" -#: src/scm/webid-oidc/errors.scm:1416 +#: src/scm/webid-oidc/errors.scm:1455 #, scheme-format msgid "the group ~s cannot be fetched (because ~a)" msgstr "" -#: src/scm/webid-oidc/errors.scm:1420 +#: src/scm/webid-oidc/errors.scm:1459 #, scheme-format msgid "the containment triples in the request to update ~s are not up to date" msgstr "" -#: src/scm/webid-oidc/errors.scm:1423 +#: src/scm/webid-oidc/errors.scm:1462 #, scheme-format msgid "the server cannot process resources with the ~s content-type" msgstr "" -#: src/scm/webid-oidc/errors.scm:1426 +#: src/scm/webid-oidc/errors.scm:1465 #, scheme-format msgid "" "the client wants to create a resource at ~s, which is reserved for an " "auxiliary resource" msgstr "" -#: src/scm/webid-oidc/errors.scm:1429 +#: src/scm/webid-oidc/errors.scm:1468 #, scheme-format msgid "" "the operation on ~s by ~a is refused, because it’s not by ~s and the access " "control forbids the following mode of operation: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1433 +#: src/scm/webid-oidc/errors.scm:1472 msgid "an anonymous user" msgstr "" -#: src/scm/webid-oidc/errors.scm:1438 +#: src/scm/webid-oidc/errors.scm:1477 #, scheme-format msgid "" "the client precondition failed for ~s: it allows for ~s, forbids ~s, but the " "resource has a representation of ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1440 +#: src/scm/webid-oidc/errors.scm:1479 #, scheme-format msgid "" "the client precondition failed for ~s: it allows for ~s, forbids ~s, but the " "resource has no representation" msgstr "" -#: src/scm/webid-oidc/errors.scm:1443 +#: src/scm/webid-oidc/errors.scm:1482 #, scheme-format msgid "" "the client wanted a response with a content type among ~s, but the resource " "at ~s has content-type ~s which cannot be converted to one of them" msgstr "" -#: src/scm/webid-oidc/errors.scm:1450 +#: src/scm/webid-oidc/errors.scm:1489 msgid "that’s it" msgstr "" -#: src/scm/webid-oidc/errors.scm:1454 +#: src/scm/webid-oidc/errors.scm:1493 #, scheme-format msgid "~a and ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1457 +#: src/scm/webid-oidc/errors.scm:1496 #, scheme-format msgid "~a, ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1461 +#: src/scm/webid-oidc/errors.scm:1500 #, scheme-format msgid "the signature ~a does not match key ~s with payload ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1464 +#: src/scm/webid-oidc/errors.scm:1503 #, scheme-format msgid "the request failed unexpectedly with code ~a: ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1468 +#: src/scm/webid-oidc/errors.scm:1507 msgid "there is an undefined variable" msgstr "" -#: src/scm/webid-oidc/errors.scm:1470 +#: src/scm/webid-oidc/errors.scm:1509 #, scheme-format msgid "the origin is ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1473 +#: src/scm/webid-oidc/errors.scm:1512 #, scheme-format msgid "a message is attached: ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1476 +#: src/scm/webid-oidc/errors.scm:1515 #, scheme-format msgid "the values ~s are problematic" msgstr "" -#: src/scm/webid-oidc/errors.scm:1479 +#: src/scm/webid-oidc/errors.scm:1518 #, scheme-format msgid "there is a kind (~s) and args ~s" msgstr "" -#: src/scm/webid-oidc/errors.scm:1482 +#: src/scm/webid-oidc/errors.scm:1521 msgid "there is an assertion failure" msgstr "" -#: src/scm/webid-oidc/errors.scm:1484 +#: src/scm/webid-oidc/errors.scm:1523 #, scheme-format msgid "the program quits with code ~a" msgstr "" -#: src/scm/webid-oidc/errors.scm:1487 +#: src/scm/webid-oidc/errors.scm:1526 msgid "the program cannot recover from this exception" msgstr "" -#: src/scm/webid-oidc/errors.scm:1489 +#: src/scm/webid-oidc/errors.scm:1528 msgid "there is an external error" msgstr "" -#: src/scm/webid-oidc/errors.scm:1491 +#: src/scm/webid-oidc/errors.scm:1530 msgid "there is an error" msgstr "" -#: src/scm/webid-oidc/errors.scm:1493 +#: src/scm/webid-oidc/errors.scm:1532 #, scheme-format msgid "Unhandled exception type ~a." msgstr "" @@ -950,15 +969,15 @@ msgid "Warning: ~a\n" msgstr "" #: src/scm/webid-oidc/hello-world.scm:48 src/scm/webid-oidc/example-app.scm:116 -#: src/scm/webid-oidc/program.scm:226 +#: src/scm/webid-oidc/program.scm:204 msgid "command-line|version" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:228 +#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:206 msgid "command-line|complete-corresponding-source" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:230 +#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:208 msgid "command-line|help" msgstr "" @@ -966,11 +985,11 @@ msgstr "" msgid "command-line|port" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:260 +#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:238 msgid "command-line|log-file" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:262 +#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:240 msgid "command-line|error-file" msgstr "" @@ -1004,12 +1023,12 @@ msgid "" msgstr "" #: src/scm/webid-oidc/hello-world.scm:103 -#: src/scm/webid-oidc/example-app.scm:159 src/scm/webid-oidc/program.scm:516 +#: src/scm/webid-oidc/example-app.scm:159 src/scm/webid-oidc/program.scm:494 #, scheme-format msgid "~a version ~a\n" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:524 +#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:502 msgid "" "You are legally required to link to the complete corresponding source code.\n" msgstr "" @@ -1128,95 +1147,95 @@ msgstr "" msgid "There was an error: ~a\n" msgstr "" -#: src/scm/webid-oidc/program.scm:122 +#: src/scm/webid-oidc/program.scm:98 #, scheme-format msgid "~a: ~a: Internal server error: ~a\n" msgstr "" -#: src/scm/webid-oidc/program.scm:136 +#: src/scm/webid-oidc/program.scm:112 #, scheme-format msgid "" "The client locale ~s can’t be approximated by system locale ~s (because ~a), " "using C.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:160 +#: src/scm/webid-oidc/program.scm:136 #, scheme-format msgid "~a: ~s ~a ~s ~a\n" msgstr "" -#: src/scm/webid-oidc/program.scm:162 +#: src/scm/webid-oidc/program.scm:138 #, scheme-format msgid "~a: ~a (~a)" msgstr "" -#: src/scm/webid-oidc/program.scm:166 +#: src/scm/webid-oidc/program.scm:142 #, scheme-format msgid "~a: ~a" msgstr "" -#: src/scm/webid-oidc/program.scm:176 +#: src/scm/webid-oidc/program.scm:152 #, scheme-format msgid "(there was an error: ~a)" msgstr "" -#: src/scm/webid-oidc/program.scm:232 +#: src/scm/webid-oidc/program.scm:210 msgid "command-line|server|port" msgstr "" -#: src/scm/webid-oidc/program.scm:234 +#: src/scm/webid-oidc/program.scm:212 msgid "command-line|server|server-name" msgstr "" -#: src/scm/webid-oidc/program.scm:236 +#: src/scm/webid-oidc/program.scm:214 msgid "command-line|server|reverse-proxy|backend-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:238 +#: src/scm/webid-oidc/program.scm:216 msgid "command-line|server|reverse-proxy|header" msgstr "" -#: src/scm/webid-oidc/program.scm:240 +#: src/scm/webid-oidc/program.scm:218 msgid "command-line|server|issuer|key-file" msgstr "" -#: src/scm/webid-oidc/program.scm:242 +#: src/scm/webid-oidc/program.scm:220 msgid "command-line|server|issuer|subject" msgstr "" -#: src/scm/webid-oidc/program.scm:244 +#: src/scm/webid-oidc/program.scm:222 msgid "command-line|server|issuer|encrypted-password" msgstr "" -#: src/scm/webid-oidc/program.scm:246 +#: src/scm/webid-oidc/program.scm:224 msgid "command-line|server|issuer|jwks-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:248 +#: src/scm/webid-oidc/program.scm:226 msgid "command-line|server|issuer|authorization-endpoint-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:250 +#: src/scm/webid-oidc/program.scm:228 msgid "command-line|server|issuer|token-endpoint-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:252 +#: src/scm/webid-oidc/program.scm:230 msgid "command-line|server|client-id" msgstr "" -#: src/scm/webid-oidc/program.scm:254 +#: src/scm/webid-oidc/program.scm:232 msgid "command-line|server|redirect-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:256 +#: src/scm/webid-oidc/program.scm:234 msgid "command-line|server|client-name" msgstr "" -#: src/scm/webid-oidc/program.scm:258 +#: src/scm/webid-oidc/program.scm:236 msgid "command-line|server|client-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:287 +#: src/scm/webid-oidc/program.scm:265 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" @@ -1371,127 +1390,127 @@ msgid "" "If you find a bug, then please send a report to ~a.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:437 src/scm/webid-oidc/program.scm:495 -#: src/scm/webid-oidc/program.scm:597 +#: src/scm/webid-oidc/program.scm:415 src/scm/webid-oidc/program.scm:473 +#: src/scm/webid-oidc/program.scm:575 msgid "command-line|command|reverse-proxy" msgstr "" -#: src/scm/webid-oidc/program.scm:438 src/scm/webid-oidc/program.scm:502 -#: src/scm/webid-oidc/program.scm:621 +#: src/scm/webid-oidc/program.scm:416 src/scm/webid-oidc/program.scm:480 +#: src/scm/webid-oidc/program.scm:597 msgid "command-line|command|identity-provider" msgstr "" -#: src/scm/webid-oidc/program.scm:439 src/scm/webid-oidc/program.scm:509 -#: src/scm/webid-oidc/program.scm:667 +#: src/scm/webid-oidc/program.scm:417 src/scm/webid-oidc/program.scm:487 +#: src/scm/webid-oidc/program.scm:641 msgid "command-line|command|client-service" msgstr "" -#: src/scm/webid-oidc/program.scm:440 src/scm/webid-oidc/program.scm:696 +#: src/scm/webid-oidc/program.scm:418 src/scm/webid-oidc/program.scm:670 msgid "command-line|command|server" msgstr "" -#: src/scm/webid-oidc/program.scm:476 src/scm/webid-oidc/program.scm:480 -#: src/scm/webid-oidc/program.scm:484 src/scm/webid-oidc/program.scm:488 +#: src/scm/webid-oidc/program.scm:454 src/scm/webid-oidc/program.scm:458 +#: src/scm/webid-oidc/program.scm:462 src/scm/webid-oidc/program.scm:466 #, scheme-format msgid "an environment variable| It is currently set to ~s." msgstr "" -#: src/scm/webid-oidc/program.scm:478 src/scm/webid-oidc/program.scm:482 -#: src/scm/webid-oidc/program.scm:486 src/scm/webid-oidc/program.scm:490 +#: src/scm/webid-oidc/program.scm:456 src/scm/webid-oidc/program.scm:460 +#: src/scm/webid-oidc/program.scm:464 src/scm/webid-oidc/program.scm:468 msgid "an environment variable| It is currently unset." msgstr "" -#: src/scm/webid-oidc/program.scm:531 +#: src/scm/webid-oidc/program.scm:509 #, scheme-format msgid "The --~a argument must be a number, not ~s.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:537 +#: src/scm/webid-oidc/program.scm:515 #, scheme-format msgid "The --~a argument must be an integer, not ~s.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:543 +#: src/scm/webid-oidc/program.scm:521 #, scheme-format msgid "The --~a argument must be positive, ~s is invalid.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:548 +#: src/scm/webid-oidc/program.scm:526 #, scheme-format msgid "The --~a argument must be less than 65536, ~s is invalid.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:590 +#: src/scm/webid-oidc/program.scm:568 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" "See --~a (-h).\n" msgstr "" -#: src/scm/webid-oidc/program.scm:600 src/scm/webid-oidc/program.scm:624 -#: src/scm/webid-oidc/program.scm:698 +#: src/scm/webid-oidc/program.scm:578 src/scm/webid-oidc/program.scm:600 +#: src/scm/webid-oidc/program.scm:672 #, scheme-format msgid "You must pass --~a to set the server name.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:604 +#: src/scm/webid-oidc/program.scm:582 #, scheme-format msgid "You must pass --~a to set the backend URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:628 src/scm/webid-oidc/program.scm:702 +#: src/scm/webid-oidc/program.scm:604 src/scm/webid-oidc/program.scm:676 #, scheme-format msgid "" "You must pass --~a to set the file where to store the identity provider " "key.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:632 src/scm/webid-oidc/program.scm:706 +#: src/scm/webid-oidc/program.scm:608 src/scm/webid-oidc/program.scm:680 #, scheme-format msgid "You must pass --~a to set the subject of the identity provider.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:636 src/scm/webid-oidc/program.scm:710 +#: src/scm/webid-oidc/program.scm:612 src/scm/webid-oidc/program.scm:684 #, scheme-format msgid "You must pass --~a to set the subject’s encrypted password.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:640 src/scm/webid-oidc/program.scm:714 +#: src/scm/webid-oidc/program.scm:616 src/scm/webid-oidc/program.scm:688 #, scheme-format msgid "You must pass --~a to set the JWKS URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:644 src/scm/webid-oidc/program.scm:718 +#: src/scm/webid-oidc/program.scm:620 src/scm/webid-oidc/program.scm:692 #, scheme-format msgid "You must pass --~a to set the authorization endpoint URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:648 src/scm/webid-oidc/program.scm:722 +#: src/scm/webid-oidc/program.scm:624 src/scm/webid-oidc/program.scm:696 #, scheme-format msgid "You must pass --~a to set the token endpoint URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:670 +#: src/scm/webid-oidc/program.scm:644 #, scheme-format msgid "You must pass --~a to set the application web ID.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:674 +#: src/scm/webid-oidc/program.scm:648 #, scheme-format msgid "You must pass --~a to set the redirection URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:678 +#: src/scm/webid-oidc/program.scm:652 #, scheme-format msgid "You must pass --~a to set the informative client name.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:682 +#: src/scm/webid-oidc/program.scm:656 #, scheme-format msgid "You must pass --~a to set the informative client URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:773 +#: src/scm/webid-oidc/program.scm:743 #, scheme-format msgid "Unknown command ~s\n" msgstr "" diff --git a/src/scm/webid-oidc/client.scm b/src/scm/webid-oidc/client.scm index aea2b7e..30cbc75 100644 --- a/src/scm/webid-oidc/client.scm +++ b/src/scm/webid-oidc/client.scm @@ -455,7 +455,8 @@ (error "Unknown key type of ~S." key))) #:htm method #:htu uri - #:iat current-time))) + #:iat current-time + #:access-token access-token))) (receive (response response-body) (apply http-request uri #:method method diff --git a/src/scm/webid-oidc/dpop-proof.scm b/src/scm/webid-oidc/dpop-proof.scm index c716c33..54b338b 100644 --- a/src/scm/webid-oidc/dpop-proof.scm +++ b/src/scm/webid-oidc/dpop-proof.scm @@ -62,7 +62,8 @@ (let ((jti (assq-ref x 'jti)) (htm (assq-ref x 'htm)) (htu (assq-ref x 'htu)) - (iat (assq-ref x 'iat))) + (iat (assq-ref x 'iat)) + (ath (assq-ref x 'ath))) (unless (and jti (string? jti)) (raise-incorrect-jti-field jti)) (unless (and htm (string? htm)) @@ -71,6 +72,8 @@ (raise-incorrect-htu-field htu)) (unless (and iat (integer? iat)) (raise-incorrect-iat-field iat)) + (unless (or (not ath) (string? ath)) + (raise-incorrect-ath-field ath)) x))))) (define-public (dpop-proof-payload? x) @@ -100,7 +103,7 @@ (typ . "dpop+jwt") (jwk . ,(stubs:strip-key jwk))))) -(define-public (make-dpop-proof-payload jti htm htu iat) +(define-public (make-dpop-proof-payload jti htm htu iat ath) (when (symbol? htm) (set! htm (symbol->string htm))) (when (uri? htu) @@ -113,7 +116,10 @@ `((jti . ,jti) (htm . ,htm) (htu . ,htu) - (iat . ,iat)))) + (iat . ,iat) + ,@(if ath + `((ath . ,ath)) + '())))) (define-public (dpop-proof-header dpop) (car (the-dpop-proof dpop))) @@ -159,6 +165,12 @@ (assq-ref (the-dpop-proof-payload dpop) 'iat)))) +(define-public (dpop-proof-ath dpop) + (when (dpop-proof? dpop) + (set! dpop (dpop-proof-payload dpop))) + (assq-ref (the-dpop-proof-payload dpop) + 'ath)) + (define (uris-compatible a b) ;; a is what is signed, b is the request (unless @@ -174,7 +186,9 @@ (uri-path b)))) (raise-dpop-uri-mismatch a b))) -(define-public (dpop-proof-decode current-time jti-list method uri str cnf/check) +(define*-public (dpop-proof-decode current-time jti-list method uri str cnf/check + #:key + (access-token #f)) (when (date? current-time) (set! current-time (date->time-utc current-time))) (when (time? current-time) @@ -195,6 +209,11 @@ (raise-dpop-signed-in-future iat current-time)) (unless (<= current-time (+ iat 120)) ;; Valid for 2 min (raise-dpop-too-old iat current-time))) + (when access-token + (let ((h (stubs:hash 'SHA-256 access-token))) + (unless (equal? (dpop-proof-ath decoded) h) + (raise-exception + (make-dpop-invalid-access-token-hash (dpop-proof-ath decoded) access-token))))) (if (string? cnf/check) (unless (equal? cnf/check (stubs:jkt (dpop-proof-jwk decoded))) (raise-dpop-unconfirmed-key (dpop-proof-jwk decoded) cnf/check #f)) @@ -226,8 +245,11 @@ (alg #f) (htm #f) (htu #f) - (iat #f)) + (iat #f) + (access-token #f)) (dpop-proof-encode (make-dpop-proof (make-dpop-proof-header alg client-key) - (make-dpop-proof-payload (stubs:random 12) htm htu iat)) + (make-dpop-proof-payload (stubs:random 12) htm htu iat + (and access-token + (stubs:hash 'SHA-256 access-token)))) client-key)) diff --git a/src/scm/webid-oidc/errors.scm b/src/scm/webid-oidc/errors.scm index d494c7d..beccc35 100644 --- a/src/scm/webid-oidc/errors.scm +++ b/src/scm/webid-oidc/errors.scm @@ -401,6 +401,18 @@ &external-error '(value))) +(define-exception-type + &incorrect-ath-field + &external-error + make-incorrect-ath-field + incorrect-ath-field? + (value incorrect-ath-field-value)) + +(export &incorrect-ath-field + make-incorrect-ath-field + incorrect-ath-field? + incorrect-ath-field-value) + (define-public (raise-incorrect-htu-field value) (raise-exception ((record-constructor &incorrect-htu-field) value))) @@ -543,6 +555,20 @@ (raise-exception ((record-constructor &dpop-unconfirmed-key) key expected cause))) +(define-exception-type + &dpop-invalid-access-token-hash + &external-error + make-dpop-invalid-access-token-hash + dpop-invalid-access-token-hash? + (hash dpop-invalid-access-token-hash-hash) + (access-token dpop-invalid-access-token-hash-access-token)) + +(export &dpop-invalid-access-token-hash + make-dpop-invalid-access-token-hash + dpop-invalid-access-token-hash? + dpop-invalid-access-token-hash-hash + dpop-invalid-access-token-hash-access-token) + (define-public &jti-found (make-exception-type '&jti-found @@ -1227,6 +1253,11 @@ (if value (format #f (G_ "the htu field is incorrect: ~s") value) (format #f (G_ "the htu field is missing"))))) + ((&incorrect-ath-field) + (let ((value (get 'value))) + (if value + (format #f (G_ "the ath field is incorrect: ~s") value) + (format #f (G_ "the ath field is missing"))))) ((¬-an-access-token) (format #f (G_ "~s is not an access token (because ~a)") (get 'value) (recurse (get 'cause)))) @@ -1288,6 +1319,14 @@ (format #f (G_ "the key confirmation of ~s failed (because ~a)") key (recurse cause))) (else (format #f (G_ "the key confirmation of ~s failed") key))))) + ((&dpop-invalid-access-token-hash) + (let ((h (get 'hash)) + (at (get 'access-token))) + (if h + (format #f (G_ "the DPoP proof is bound to an access token with hash ~s, not ~s") + h at) + (format #f (G_ "the DPoP proof should be bound to the access token ~s") + at)))) ((&jti-found) (format #f (G_ "the jti ~s has already been found (because ~a)") (get 'jti) (recurse (get 'cause)))) diff --git a/src/scm/webid-oidc/resource-server.scm b/src/scm/webid-oidc/resource-server.scm index a8e88f5..2d1c798 100644 --- a/src/scm/webid-oidc/resource-server.scm +++ b/src/scm/webid-oidc/resource-server.scm @@ -94,15 +94,15 @@ (error->str error)) #f) (lambda () - (let* ((access-token - (access-token-decode - (symbol->string (cadr authz)) - #:http-get http-get)) + (let* ((lit-access-token (symbol->string (cadr authz))) + (access-token + (access-token-decode lit-access-token + #:http-get http-get)) (cnf/jkt (access-token-cnf/jkt access-token)) (dpop-proof (dpop-proof-decode current-time jti-list method full-uri - dpop cnf/jkt))) + dpop cnf/jkt #:access-token lit-access-token))) (let ((subject (access-token-webid access-token)) (issuer (access-token-iss access-token))) (confirm-provider subject issuer #:http-get http-get) diff --git a/tests/Makefile.am b/tests/Makefile.am index dfcbefe..086ccbd 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -34,12 +34,15 @@ TESTS = %reldir%/load-library.scm \ %reldir%/cache-revalidate.scm \ %reldir%/oidc-configuration.scm \ %reldir%/dpop-proof-valid.scm \ + %reldir%/dpop-proof-valid-ath.scm \ %reldir%/dpop-proof-wrong-htm.scm \ %reldir%/dpop-proof-wrong-htu.scm \ %reldir%/dpop-proof-iat-in-future.scm \ %reldir%/dpop-proof-iat-too-late.scm \ %reldir%/dpop-proof-wrong-key.scm \ %reldir%/dpop-proof-replay.scm \ + %reldir%/dpop-proof-no-ath.scm \ + %reldir%/dpop-proof-invalid-ath.scm \ %reldir%/client-manifest-public.scm \ %reldir%/client-manifest.scm \ %reldir%/client-manifest-fraudulent.scm \ diff --git a/tests/dpop-proof-invalid-ath.scm b/tests/dpop-proof-invalid-ath.scm new file mode 100644 index 0000000..e802ffe --- /dev/null +++ b/tests/dpop-proof-invalid-ath.scm @@ -0,0 +1,73 @@ +;; webid-oidc, implementation of the Solid specification +;; Copyright (C) 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(use-modules (webid-oidc dpop-proof) + (webid-oidc access-token) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + ((webid-oidc stubs) #:prefix stubs:) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-invalid-ath" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define idp-key (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define access-token + (issue-access-token + idp-key + #:alg 'RS256 + #:webid "https://data.provider/subject" + #:iss "https://identity.provider" + #:iat 10 + #:exp 3610 + #:client-key jwk + #:client-id "https://client")) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res?query") + #:iat (time-utc->date (make-time time-utc 0 0)) + #:access-token "aaaaaaaaaaaaaaa")) + (with-exception-handler + (lambda (error) + (let ((cause + ((record-accessor &cannot-decode-dpop-proof 'cause) error))) + (unless (dpop-invalid-access-token-hash? cause) + (raise-exception error)) + (unless (and (equal? (dpop-invalid-access-token-hash-hash cause) + (stubs:hash 'SHA-256 "aaaaaaaaaaaaaaa")) + (equal? (dpop-invalid-access-token-hash-access-token cause) access-token)) + (exit 1)))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf + #:access-token access-token) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-no-ath.scm b/tests/dpop-proof-no-ath.scm new file mode 100644 index 0000000..67b8a70 --- /dev/null +++ b/tests/dpop-proof-no-ath.scm @@ -0,0 +1,59 @@ +;; webid-oidc, implementation of the Solid specification +;; Copyright (C) 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-no-ath" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res?query") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (let ((cause + ((record-accessor &cannot-decode-dpop-proof 'cause) error))) + (unless (dpop-invalid-access-token-hash? cause) + (raise-exception error)) + (when (dpop-invalid-access-token-hash-hash cause) + ;; An #f value for hash indicates that there was no ath + ;; claim + (exit 1)))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf + #:access-token "aaa") + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-valid-ath.scm b/tests/dpop-proof-valid-ath.scm new file mode 100644 index 0000000..259190f --- /dev/null +++ b/tests/dpop-proof-valid-ath.scm @@ -0,0 +1,60 @@ +;; webid-oidc, implementation of the Solid specification +;; Copyright (C) 2020, 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(use-modules (webid-oidc dpop-proof) + (webid-oidc access-token) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-valid" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define idp-key (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define access-token + (issue-access-token + idp-key + #:alg 'RS256 + #:webid "https://data.provider/subject" + #:iss "https://identity.provider" + #:iat 10 + #:exp 3610 + #:client-key jwk + #:client-id "https://client")) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)) + #:access-token access-token)) + (define decoded + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf + #:access-token access-token)) + (unless decoded + (exit 1)))) diff --git a/tests/resource-server.scm b/tests/resource-server.scm index 1a8e30a..ef5e0b7 100644 --- a/tests/resource-server.scm +++ b/tests/resource-server.scm @@ -73,7 +73,8 @@ #:alg 'RS256 #:htm method #:htu uri - #:iat (time-utc->date (make-time time-utc 0 15)))) + #:iat (time-utc->date (make-time time-utc 0 15)) + #:access-token access-token)) (define rq (call-with-input-string (format #f "GET /resource HTTP/1.1\r\n\ |