Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5219:25e824f64fd3
mod_http_oauth2: Improve handling of redirect_uri matching and fallback
Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it
registered multiple. If it only registered a single URI, it may be omitted
from the authorize request.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 07 Mar 2023 13:19:19 +0000 |
parents | 1f4b768c831a |
children | 22483cfce3ce |
comparison
equal
deleted
inserted
replaced
5218:1f4b768c831a | 5219:25e824f64fd3 |
---|---|
143 -- TODO: include refresh_token when implemented | 143 -- TODO: include refresh_token when implemented |
144 }; | 144 }; |
145 end | 145 end |
146 | 146 |
147 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string | 147 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string |
148 if not query_redirect_uri then | |
149 if #client.redirect_uris ~= 1 then | |
150 -- Client registered multiple URIs, it needs specify which one to use | |
151 return; | |
152 end | |
153 -- When only a single URI is registered, that's the default | |
154 return client.redirect_uris[1]; | |
155 end | |
156 -- Verify the client-provided URI matches one previously registered | |
148 for _, redirect_uri in ipairs(client.redirect_uris) do | 157 for _, redirect_uri in ipairs(client.redirect_uris) do |
149 if query_redirect_uri == nil or query_redirect_uri == redirect_uri then | 158 if query_redirect_uri == redirect_uri then |
150 return redirect_uri | 159 return redirect_uri |
151 end | 160 end |
152 end | 161 end |
153 end | 162 end |
154 | 163 |
197 title = "Your authorization code"; | 206 title = "Your authorization code"; |
198 message = "Here's your authorization code, copy and paste it into " .. (client.client_name or "your client"); | 207 message = "Here's your authorization code, copy and paste it into " .. (client.client_name or "your client"); |
199 extra = code; | 208 extra = code; |
200 }) or ("Here's your authorization code:\n%s\n"):format(code); | 209 }) or ("Here's your authorization code:\n%s\n"):format(code); |
201 return response; | 210 return response; |
211 elseif not redirect_uri then | |
212 return {status_code = 400}; | |
202 end | 213 end |
203 | 214 |
204 local redirect = url.parse(redirect_uri); | 215 local redirect = url.parse(redirect_uri); |
205 | 216 |
206 local query = http.formdecode(redirect.query or ""); | 217 local query = http.formdecode(redirect.query or ""); |