comparison mod_http_oauth2/mod_http_oauth2.lua @ 5187:6a3c1febd7be

mod_http_oauth2: Add settings for allowed grant and response types So that you can opt-in to the insecure methods...
author Kim Alvefur <zash@zash.se>
date Thu, 02 Mar 2023 23:57:29 +0100
parents fa3059e653fa
children 7c531137a553
comparison
equal deleted inserted replaced
5186:fa3059e653fa 5187:6a3c1febd7be
251 response_type_handlers.token = nil; 251 response_type_handlers.token = nil;
252 grant_type_handlers.authorization_code = nil; 252 grant_type_handlers.authorization_code = nil;
253 check_credentials = function () return false end 253 check_credentials = function () return false end
254 end 254 end
255 255
256 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"})
257 for handler_type in pairs(grant_type_handlers) do
258 if not allowed_grant_type_handlers:contains(handler_type) then
259 grant_type_handlers[handler_type] = nil;
260 end
261 end
262
263 -- "token" aka implicit flow is considered insecure
264 local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"})
265 for handler_type in pairs(allowed_response_type_handlers) do
266 if not allowed_grant_type_handlers:contains(handler_type) then
267 grant_type_handlers[handler_type] = nil;
268 end
269 end
270
256 function handle_token_grant(event) 271 function handle_token_grant(event)
257 event.response.headers.content_type = "application/json"; 272 event.response.headers.content_type = "application/json";
258 local params = http.formdecode(event.request.body); 273 local params = http.formdecode(event.request.body);
259 if not params then 274 if not params then
260 return oauth_error("invalid_request"); 275 return oauth_error("invalid_request");