comparison mod_http_oauth2/mod_http_oauth2.lua @ 5511:0860497152af

mod_http_oauth2: Record hash of client_id to allow future verification RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the client. In order to do that, we must record something that can definitely tie the client to the grant. Since the full client_id is so large (why we have this client_subset function), a hash is stored instead.
author Kim Alvefur <zash@zash.se>
date Fri, 02 Jun 2023 10:14:16 +0200
parents a49d73e4262e
children 1fbc8718bed6
comparison
equal deleted inserted replaced
5510:a49d73e4262e 5511:0860497152af
102 if not verify_client then 102 if not verify_client then
103 return nil, "client-registration-not-enabled"; 103 return nil, "client-registration-not-enabled";
104 end 104 end
105 105
106 local ok, client = verify_client(client_id); 106 local ok, client = verify_client(client_id);
107 if not ok then return ok, client; end 107 if not ok then
108 return ok, client;
109 end
110
111 client.client_hash = b64url(hashes.sha256(client_id));
108 return client; 112 return client;
109 end 113 end
110 114
111 -- scope : string | array | set 115 -- scope : string | array | set
112 -- 116 --
219 223
220 -- client_id / client_metadata are pretty large, filter out a subset of 224 -- client_id / client_metadata are pretty large, filter out a subset of
221 -- properties that are deemed useful e.g. in case tokens issued to a certain 225 -- properties that are deemed useful e.g. in case tokens issued to a certain
222 -- client needs to be revoked 226 -- client needs to be revoked
223 local function client_subset(client) 227 local function client_subset(client)
224 return { name = client.client_name; uri = client.client_uri; id = client.software_id; version = client.software_version }; 228 return {
229 name = client.client_name;
230 uri = client.client_uri;
231 id = client.software_id;
232 version = client.software_version;
233 hash = client.client_hash;
234 };
225 end 235 end
226 236
227 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info) 237 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info)
228 local token_data = { oauth2_scopes = scope_string, oauth2_client = nil }; 238 local token_data = { oauth2_scopes = scope_string, oauth2_client = nil };
229 if client then 239 if client then