prosody-modules: mod_http_oauth2/mod_http

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5511:0860497152af

mod_http_oauth2: Record hash of client_id to allow future verification RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the client. In order to do that, we must record something that can definitely tie the client to the grant. Since the full client_id is so large (why we have this client_subset function), a hash is stored instead.

author	Kim Alvefur <zash@zash.se>
date	Fri, 02 Jun 2023 10:14:16 +0200
parents	a49d73e4262e
children	1fbc8718bed6

comparison

equal deleted inserted replaced

-:a49d73e4262e
+:0860497152af
 	if not verify_client then
 		return nil, "client-registration-not-enabled";
 	end
 	local ok, client = verify_client(client_id);
-	if not ok then return ok, client; end
+	if not ok then
+		return ok, client;
+	end
+	client.client_hash = b64url(hashes.sha256(client_id));
 	return client;
 end
 -- scope : string | array | set
 --
 -- client_id / client_metadata are pretty large, filter out a subset of
 -- properties that are deemed useful e.g. in case tokens issued to a certain
 -- client needs to be revoked
 local function client_subset(client)
-	return { name = client.client_name; uri = client.client_uri; id = client.software_id; version = client.software_version };
+	return {
+		name = client.client_name;
+		uri = client.client_uri;
+		id = client.software_id;
+		version = client.software_version;
+		hash = client.client_hash;
+	};
 end
 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info)
 	local token_data = { oauth2_scopes = scope_string, oauth2_client = nil };
 	if client then

Mercurial > prosody-modules

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5511:0860497152af