comparison mod_http_oauth2/mod_http_oauth2.lua @ 5219:25e824f64fd3

mod_http_oauth2: Improve handling of redirect_uri matching and fallback Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it registered multiple. If it only registered a single URI, it may be omitted from the authorize request.
author Matthew Wild <mwild1@gmail.com>
date Tue, 07 Mar 2023 13:19:19 +0000
parents 1f4b768c831a
children 22483cfce3ce
comparison
equal deleted inserted replaced
5218:1f4b768c831a 5219:25e824f64fd3
143 -- TODO: include refresh_token when implemented 143 -- TODO: include refresh_token when implemented
144 }; 144 };
145 end 145 end
146 146
147 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string 147 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
148 if not query_redirect_uri then
149 if #client.redirect_uris ~= 1 then
150 -- Client registered multiple URIs, it needs specify which one to use
151 return;
152 end
153 -- When only a single URI is registered, that's the default
154 return client.redirect_uris[1];
155 end
156 -- Verify the client-provided URI matches one previously registered
148 for _, redirect_uri in ipairs(client.redirect_uris) do 157 for _, redirect_uri in ipairs(client.redirect_uris) do
149 if query_redirect_uri == nil or query_redirect_uri == redirect_uri then 158 if query_redirect_uri == redirect_uri then
150 return redirect_uri 159 return redirect_uri
151 end 160 end
152 end 161 end
153 end 162 end
154 163
197 title = "Your authorization code"; 206 title = "Your authorization code";
198 message = "Here's your authorization code, copy and paste it into " .. (client.client_name or "your client"); 207 message = "Here's your authorization code, copy and paste it into " .. (client.client_name or "your client");
199 extra = code; 208 extra = code;
200 }) or ("Here's your authorization code:\n%s\n"):format(code); 209 }) or ("Here's your authorization code:\n%s\n"):format(code);
201 return response; 210 return response;
211 elseif not redirect_uri then
212 return {status_code = 400};
202 end 213 end
203 214
204 local redirect = url.parse(redirect_uri); 215 local redirect = url.parse(redirect_uri);
205 216
206 local query = http.formdecode(redirect.query or ""); 217 local query = http.formdecode(redirect.query or "");