comparison mod_http_oauth2/mod_http_oauth2.lua @ 5716:426c42c11f89

mod_http_oauth2: Make defaults more secure This should be fine since we don't have a lot of clients to be backwards-compatible with.
author Kim Alvefur <zash@zash.se>
date Tue, 14 Nov 2023 23:19:19 +0100
parents 8488ebde5739
children d563a6b0dfb7
comparison
equal deleted inserted replaced
5715:8488ebde5739 5716:426c42c11f89
109 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); 109 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");
110 local registration_ttl = module:get_option("oauth2_registration_ttl", nil); 110 local registration_ttl = module:get_option("oauth2_registration_ttl", nil);
111 local registration_options = module:get_option("oauth2_registration_options", 111 local registration_options = module:get_option("oauth2_registration_options",
112 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); 112 { default_ttl = registration_ttl; accept_expired = not registration_ttl });
113 113
114 -- Flip these for Extra Security! 114 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", true);
115 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); 115 local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", false);
116 local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", true);
117 116
118 local verification_key; 117 local verification_key;
119 local sign_client, verify_client; 118 local sign_client, verify_client;
120 if registration_key then 119 if registration_key then
121 -- Tie it to the host if global 120 -- Tie it to the host if global
753 }; 752 };
754 end 753 end
755 754
756 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", { 755 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {
757 "authorization_code"; 756 "authorization_code";
758 "password"; -- TODO Disable. The resource owner password credentials grant [RFC6749] MUST NOT be used.
759 "refresh_token"; 757 "refresh_token";
760 device_uri; 758 device_uri;
761 }) 759 })
762 if allowed_grant_type_handlers:contains("device_code") then 760 if allowed_grant_type_handlers:contains("device_code") then
763 -- expand short form because that URI is long 761 -- expand short form because that URI is long
783 else 781 else
784 module:log("debug", "Response type %q enabled", handler_type); 782 module:log("debug", "Response type %q enabled", handler_type);
785 end 783 end
786 end 784 end
787 785
788 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" }) 786 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "S256" })
789 for handler_type in pairs(verifier_transforms) do 787 for handler_type in pairs(verifier_transforms) do
790 if not allowed_challenge_methods:contains(handler_type) then 788 if not allowed_challenge_methods:contains(handler_type) then
791 module:log("debug", "Challenge method %q disabled", handler_type); 789 module:log("debug", "Challenge method %q disabled", handler_type);
792 verifier_transforms[handler_type] = nil; 790 verifier_transforms[handler_type] = nil;
793 else 791 else