comparison mod_http_oauth2/mod_http_oauth2.lua @ 5616:59d5fc50f602

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics
author Kim Alvefur <zash@zash.se>
date Sun, 23 Jul 2023 02:56:08 +0200
parents 7565298aa197
children d8622797e315
comparison
equal deleted inserted replaced
5615:308b5b117379 5616:59d5fc50f602
268 end 268 end
269 if next(token_data) == nil then 269 if next(token_data) == nil then
270 token_data = nil; 270 token_data = nil;
271 end 271 end
272 272
273 local refresh_token;
274 local grant = refresh_token_info and refresh_token_info.grant; 273 local grant = refresh_token_info and refresh_token_info.grant;
275 if not grant then 274 if not grant then
276 -- No existing grant, create one 275 -- No existing grant, create one
277 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data); 276 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data);
278 -- Create refresh token for the grant if desired 277 end
279 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh"); 278
280 else 279 if refresh_token_info then
281 -- Grant exists, reuse existing refresh token 280 -- out with the old refresh tokens
282 refresh_token = refresh_token_info.token; 281 local ok, err = tokens.revoke_token(refresh_token_info.token);
283 end 282 if not ok then
283 module:log("error", "Could not revoke refresh token: %s", err);
284 return 500;
285 end
286 end
287 -- in with the new refresh token
288 local refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant.id, nil, nil, "oauth2-refresh");
284 289
285 if role == "xmpp" then 290 if role == "xmpp" then
286 -- Special scope meaning the users default role. 291 -- Special scope meaning the users default role.
287 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host); 292 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host);
288 role = user_default_role and user_default_role.name; 293 role = user_default_role and user_default_role.name;