comparison mod_http_oauth2/mod_http_oauth2.lua @ 5210:898575a0c6f3

mod_http_oauth2: Switch to '303 See Other' redirects This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is the only redirect code that guarantees the user agent will use a GET request, rather than re-submitting a POST request to the new URL. The latter would be bad for us, as we are encoding auth tokens in the form data.
author Matthew Wild <mwild1@gmail.com>
date Mon, 06 Mar 2023 10:37:43 +0000
parents 942f8a2f722d
children dc0f502c12f1
comparison
equal deleted inserted replaced
5209:942f8a2f722d 5210:898575a0c6f3
209 table.insert(query, { name = "state", value = params.state }); 209 table.insert(query, { name = "state", value = params.state });
210 end 210 end
211 redirect.query = http.formencode(query); 211 redirect.query = http.formencode(query);
212 212
213 return { 213 return {
214 status_code = 302; 214 status_code = 303;
215 headers = { 215 headers = {
216 location = url.build(redirect); 216 location = url.build(redirect);
217 }; 217 };
218 } 218 }
219 end 219 end
227 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); 227 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
228 token_info.state = params.state; 228 token_info.state = params.state;
229 redirect.fragment = http.formencode(token_info); 229 redirect.fragment = http.formencode(token_info);
230 230
231 return { 231 return {
232 status_code = 302; 232 status_code = 303;
233 headers = { 233 headers = {
234 location = url.build(redirect); 234 location = url.build(redirect);
235 }; 235 };
236 } 236 }
237 end 237 end
394 redirect_uri = redirect_uri 394 redirect_uri = redirect_uri
395 .. sep .. http.formencode(err.extra.oauth2_response) 395 .. sep .. http.formencode(err.extra.oauth2_response)
396 .. "&" .. http.formencode({ state = q.state, iss = get_issuer() }); 396 .. "&" .. http.formencode({ state = q.state, iss = get_issuer() });
397 module:log("warn", "Sending error response to client via redirect to %s", redirect_uri); 397 module:log("warn", "Sending error response to client via redirect to %s", redirect_uri);
398 return { 398 return {
399 status_code = 302; 399 status_code = 303;
400 headers = { 400 headers = {
401 location = redirect_uri; 401 location = redirect_uri;
402 }; 402 };
403 }; 403 };
404 end 404 end