comparison mod_http_oauth2/mod_http_oauth2.lua @ 5681:8cb3da7df521

mod_http_oauth2: Restrict introspection to clients own tokens The introspection code was added before the client hash was added in 0860497152af which allows connecting tokens to clients.
author Kim Alvefur <zash@zash.se>
date Sun, 29 Oct 2023 11:20:15 +0100
parents b43c989fb69c
children 527c747711f3
comparison
equal deleted inserted replaced
5680:b43c989fb69c 5681:8cb3da7df521
1059 -- OAuth "client" credentials 1059 -- OAuth "client" credentials
1060 if not verify_client_secret(credentials.username, credentials.password) then 1060 if not verify_client_secret(credentials.username, credentials.password) then
1061 return 401; 1061 return 401;
1062 end 1062 end
1063 1063
1064 local client = check_client(credentials.username);
1065 if not client then
1066 return 401;
1067 end
1068
1064 local form_data = http.formdecode(request.body or "="); 1069 local form_data = http.formdecode(request.body or "=");
1065 local token = form_data.token; 1070 local token = form_data.token;
1066 if not token then 1071 if not token then
1067 return 400; 1072 return 400;
1068 end 1073 end
1069 1074
1070 local token_info = tokens.get_token_info(form_data.token); 1075 local token_info = tokens.get_token_info(form_data.token);
1071 if not token_info then 1076 if not token_info then
1072 return { headers = { content_type = "application/json" }; body = json.encode { active = false } }; 1077 return { headers = { content_type = "application/json" }; body = json.encode { active = false } };
1078 end
1079 local token_client = token_info.grant.data.oauth2_client;
1080 if not token_client or token_client.hash ~= client.client_hash then
1081 return 403;
1073 end 1082 end
1074 1083
1075 return { 1084 return {
1076 headers = { content_type = "application/json" }; 1085 headers = { content_type = "application/json" };
1077 body = json.encode { 1086 body = json.encode {
1081 scope = token_info.grant.data.oauth2_scopes; 1090 scope = token_info.grant.data.oauth2_scopes;
1082 token_type = purpose_map[token_info.purpose]; 1091 token_type = purpose_map[token_info.purpose];
1083 exp = token.expires; 1092 exp = token.expires;
1084 iat = token.created; 1093 iat = token.created;
1085 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); 1094 sub = url.build({ scheme = "xmpp"; path = token_info.jid });
1086 aud = nil; 1095 aud = credentials.username;
1087 iss = get_issuer(); 1096 iss = get_issuer();
1088 jti = token_info.id; 1097 jti = token_info.id;
1089 }; 1098 };
1090 }; 1099 };
1091 end 1100 end