Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5716:426c42c11f89
mod_http_oauth2: Make defaults more secure
This should be fine since we don't have a lot of clients to be
backwards-compatible with.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 14 Nov 2023 23:19:19 +0100 |
| parents | 8488ebde5739 |
| children | d563a6b0dfb7 |
comparison
equal
deleted
inserted
replaced
| 5715:8488ebde5739 | 5716:426c42c11f89 |
|---|---|
| 109 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); | 109 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); |
| 110 local registration_ttl = module:get_option("oauth2_registration_ttl", nil); | 110 local registration_ttl = module:get_option("oauth2_registration_ttl", nil); |
| 111 local registration_options = module:get_option("oauth2_registration_options", | 111 local registration_options = module:get_option("oauth2_registration_options", |
| 112 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); | 112 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); |
| 113 | 113 |
| 114 -- Flip these for Extra Security! | 114 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", true); |
| 115 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); | 115 local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", false); |
| 116 local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", true); | |
| 117 | 116 |
| 118 local verification_key; | 117 local verification_key; |
| 119 local sign_client, verify_client; | 118 local sign_client, verify_client; |
| 120 if registration_key then | 119 if registration_key then |
| 121 -- Tie it to the host if global | 120 -- Tie it to the host if global |
| 753 }; | 752 }; |
| 754 end | 753 end |
| 755 | 754 |
| 756 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", { | 755 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", { |
| 757 "authorization_code"; | 756 "authorization_code"; |
| 758 "password"; -- TODO Disable. The resource owner password credentials grant [RFC6749] MUST NOT be used. | |
| 759 "refresh_token"; | 757 "refresh_token"; |
| 760 device_uri; | 758 device_uri; |
| 761 }) | 759 }) |
| 762 if allowed_grant_type_handlers:contains("device_code") then | 760 if allowed_grant_type_handlers:contains("device_code") then |
| 763 -- expand short form because that URI is long | 761 -- expand short form because that URI is long |
| 783 else | 781 else |
| 784 module:log("debug", "Response type %q enabled", handler_type); | 782 module:log("debug", "Response type %q enabled", handler_type); |
| 785 end | 783 end |
| 786 end | 784 end |
| 787 | 785 |
| 788 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" }) | 786 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "S256" }) |
| 789 for handler_type in pairs(verifier_transforms) do | 787 for handler_type in pairs(verifier_transforms) do |
| 790 if not allowed_challenge_methods:contains(handler_type) then | 788 if not allowed_challenge_methods:contains(handler_type) then |
| 791 module:log("debug", "Challenge method %q disabled", handler_type); | 789 module:log("debug", "Challenge method %q disabled", handler_type); |
| 792 verifier_transforms[handler_type] = nil; | 790 verifier_transforms[handler_type] = nil; |
| 793 else | 791 else |