comparison mod_http_oauth2/mod_http_oauth2.lua @ 5459:260a859be86a

mod_http_oauth2: Rename variables to improve clarity
author Kim Alvefur <zash@zash.se>
date Wed, 17 May 2023 00:09:37 +0200
parents 813fe4f76286
children c0d62c1b4424
comparison
equal deleted inserted replaced
5458:813fe4f76286 5459:260a859be86a
82 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); 82 { default_ttl = registration_ttl; accept_expired = not registration_ttl });
83 83
84 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); 84 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false);
85 85
86 local verification_key; 86 local verification_key;
87 local jwt_sign, jwt_verify; 87 local sign_client, verify_client;
88 if registration_key then 88 if registration_key then
89 -- Tie it to the host if global 89 -- Tie it to the host if global
90 verification_key = hashes.hmac_sha256(registration_key, module.host); 90 verification_key = hashes.hmac_sha256(registration_key, module.host);
91 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); 91 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options);
92 end 92 end
93 93
94 -- scope : string | array | set 94 -- scope : string | array | set
95 -- 95 --
96 -- at each step, allow the same or a subset of scopes 96 -- at each step, allow the same or a subset of scopes
372 if params.scope and params.scope ~= "" then 372 if params.scope and params.scope ~= "" then
373 -- FIXME allow a subset of granted scopes 373 -- FIXME allow a subset of granted scopes
374 return oauth_error("invalid_scope", "unknown scope requested"); 374 return oauth_error("invalid_scope", "unknown scope requested");
375 end 375 end
376 376
377 local client_ok, client = jwt_verify(params.client_id); 377 local client_ok, client = verify_client(params.client_id);
378 if not client_ok then 378 if not client_ok then
379 return oauth_error("invalid_client", "incorrect credentials"); 379 return oauth_error("invalid_client", "incorrect credentials");
380 end 380 end
381 381
382 if not verify_client_secret(params.client_id, params.client_secret) then 382 if not verify_client_secret(params.client_id, params.client_secret) then
407 function grant_type_handlers.refresh_token(params) 407 function grant_type_handlers.refresh_token(params)
408 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end 408 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
409 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end 409 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
410 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end 410 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end
411 411
412 local client_ok, client = jwt_verify(params.client_id); 412 local client_ok, client = verify_client(params.client_id);
413 if not client_ok then 413 if not client_ok then
414 return oauth_error("invalid_client", "incorrect credentials"); 414 return oauth_error("invalid_client", "incorrect credentials");
415 end 415 end
416 416
417 if not verify_client_secret(params.client_id, params.client_secret) then 417 if not verify_client_secret(params.client_id, params.client_secret) then
658 return error_response(request, oauth_error("invalid_request")); 658 return error_response(request, oauth_error("invalid_request"));
659 end 659 end
660 660
661 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end 661 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
662 662
663 local ok, client = jwt_verify(params.client_id); 663 local ok, client = verify_client(params.client_id);
664 664
665 if not ok then 665 if not ok then
666 return oauth_error("invalid_client", "incorrect credentials"); 666 return oauth_error("invalid_client", "incorrect credentials");
667 end 667 end
668 668
884 -- Ensure each signed client_id JWT is unique, short ID and issued at 884 -- Ensure each signed client_id JWT is unique, short ID and issued at
885 -- timestamp should be sufficient to rule out brute force attacks 885 -- timestamp should be sufficient to rule out brute force attacks
886 client_metadata.nonce = id.short(); 886 client_metadata.nonce = id.short();
887 887
888 -- Do we want to keep everything? 888 -- Do we want to keep everything?
889 local client_id = jwt_sign(client_metadata); 889 local client_id = sign_client(client_metadata);
890 890
891 client_metadata.client_id = client_id; 891 client_metadata.client_id = client_id;
892 client_metadata.client_id_issued_at = os.time(); 892 client_metadata.client_id_issued_at = os.time();
893 893
894 if client_metadata.token_endpoint_auth_method ~= "none" then 894 if client_metadata.token_endpoint_auth_method ~= "none" then