comparison mod_http_oauth2/mod_http_oauth2.lua @ 5512:1fbc8718bed6

mod_http_oauth2: Bind refresh tokens to client Prevent one OAuth client from using the refresh tokens issued to another client as required by RFC 6819 section 5.2.2.2 See also draft-ietf-oauth-security-topics-22 section 2.2.2 Thanks to OAuch for pointing out this issue
author Kim Alvefur <zash@zash.se>
date Fri, 02 Jun 2023 10:40:48 +0200
parents 0860497152af
children 0005d4201030
comparison
equal deleted inserted replaced
5511:0860497152af 5512:1fbc8718bed6
476 end 476 end
477 477
478 local refresh_token_info = tokens.get_token_info(params.refresh_token); 478 local refresh_token_info = tokens.get_token_info(params.refresh_token);
479 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then 479 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then
480 return oauth_error("invalid_grant", "invalid refresh token"); 480 return oauth_error("invalid_grant", "invalid refresh token");
481 end
482
483 local refresh_token_client = refresh_token_info.grant.data.oauth2_client;
484 if not refresh_token_client.hash or refresh_token_client.hash ~= client.client_hash then
485 module:log("warn", "OAuth client %q (%s) tried to use refresh token belonging to %q (%s)", client.client_name, client.client_hash,
486 refresh_token_client.name, refresh_token_client.hash);
487 return oauth_error("unauthorized_client", "incorrect credentials");
481 end 488 end
482 489
483 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; 490 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes;
484 491
485 if params.scope then 492 if params.scope then