Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5716:426c42c11f89
mod_http_oauth2: Make defaults more secure
This should be fine since we don't have a lot of clients to be
backwards-compatible with.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 14 Nov 2023 23:19:19 +0100 |
parents | 8488ebde5739 |
children | d563a6b0dfb7 |
comparison
equal
deleted
inserted
replaced
5715:8488ebde5739 | 5716:426c42c11f89 |
---|---|
109 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); | 109 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); |
110 local registration_ttl = module:get_option("oauth2_registration_ttl", nil); | 110 local registration_ttl = module:get_option("oauth2_registration_ttl", nil); |
111 local registration_options = module:get_option("oauth2_registration_options", | 111 local registration_options = module:get_option("oauth2_registration_options", |
112 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); | 112 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); |
113 | 113 |
114 -- Flip these for Extra Security! | 114 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", true); |
115 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); | 115 local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", false); |
116 local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", true); | |
117 | 116 |
118 local verification_key; | 117 local verification_key; |
119 local sign_client, verify_client; | 118 local sign_client, verify_client; |
120 if registration_key then | 119 if registration_key then |
121 -- Tie it to the host if global | 120 -- Tie it to the host if global |
753 }; | 752 }; |
754 end | 753 end |
755 | 754 |
756 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", { | 755 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", { |
757 "authorization_code"; | 756 "authorization_code"; |
758 "password"; -- TODO Disable. The resource owner password credentials grant [RFC6749] MUST NOT be used. | |
759 "refresh_token"; | 757 "refresh_token"; |
760 device_uri; | 758 device_uri; |
761 }) | 759 }) |
762 if allowed_grant_type_handlers:contains("device_code") then | 760 if allowed_grant_type_handlers:contains("device_code") then |
763 -- expand short form because that URI is long | 761 -- expand short form because that URI is long |
783 else | 781 else |
784 module:log("debug", "Response type %q enabled", handler_type); | 782 module:log("debug", "Response type %q enabled", handler_type); |
785 end | 783 end |
786 end | 784 end |
787 | 785 |
788 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" }) | 786 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "S256" }) |
789 for handler_type in pairs(verifier_transforms) do | 787 for handler_type in pairs(verifier_transforms) do |
790 if not allowed_challenge_methods:contains(handler_type) then | 788 if not allowed_challenge_methods:contains(handler_type) then |
791 module:log("debug", "Challenge method %q disabled", handler_type); | 789 module:log("debug", "Challenge method %q disabled", handler_type); |
792 verifier_transforms[handler_type] = nil; | 790 verifier_transforms[handler_type] = nil; |
793 else | 791 else |