comparison mod_http_oauth2/mod_http_oauth2.lua @ 5242:4746609a6656

mod_http_oauth2: Validate that informative URLs match the redirect URIs It is a bit shady to have the various URIs (URLs really) point to different hostnames. This may be quite stricter than required, but can always be relaxed later.
author Kim Alvefur <zash@zash.se>
date Sat, 11 Mar 2023 22:31:02 +0100
parents 65892dd1d4ae
children d5dc8edb2695
comparison
equal deleted inserted replaced
5241:65892dd1d4ae 5242:4746609a6656
598 598
599 if not schema.validate(registration_schema, client_metadata) then 599 if not schema.validate(registration_schema, client_metadata) then
600 return oauth_error("invalid_request", "Failed schema validation."); 600 return oauth_error("invalid_request", "Failed schema validation.");
601 end 601 end
602 602
603 local redirect_hosts = set.new();
603 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do 604 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
604 local components = url.parse(redirect_uri); 605 local components = url.parse(redirect_uri);
605 if not components or not components.scheme then 606 if not components or not components.scheme then
606 return oauth_error("invalid_request", "Invalid redirect URI."); 607 return oauth_error("invalid_request", "Invalid redirect URI.");
607 elseif components.scheme == "http" and components.host ~= "localhost" then 608 elseif components.scheme == "http" and components.host ~= "localhost" then
608 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); 609 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)");
610 elseif components.scheme == "https" then
611 redirect_hosts:add(components.host);
612 end
613 end
614
615 for field, prop_schema in pairs(registration_schema) do
616 if prop_schema.format == "uri" and client_metadata[field] then
617 local components = url.parse(client_metadata[field]);
618 if components.scheme ~= "https" then
619 return oauth_error("invalid_request", "Insecure URI forbidden");
620 end
621 if not redirect_hosts:contains(components.host) then
622 return oauth_error("invalid_request", "Informative URI must match redirect URIs");
623 end
609 end 624 end
610 end 625 end
611 626
612 -- Ensure each signed client_id JWT is unique 627 -- Ensure each signed client_id JWT is unique
613 client_metadata.nonce = uuid.generate(); 628 client_metadata.nonce = uuid.generate();