comparison mod_http_oauth2/mod_http_oauth2.lua @ 5770:990c6adc4407

mod_http_oauth2: Move some code earlier
author Kim Alvefur <zash@zash.se>
date Mon, 04 Dec 2023 21:07:54 +0100
parents a967bb4972c5
children 72799c330986
comparison
equal deleted inserted replaced
5769:bb4335c8f500 5770:990c6adc4407
1418 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); 1418 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified");
1419 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then 1419 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then
1420 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); 1420 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified");
1421 end 1421 end
1422 1422
1423 -- Do we want to keep everything?
1424 local client_id = sign_client(client_metadata);
1425
1426 client_metadata.client_id = client_id;
1427 client_metadata.client_id_issued_at = os.time();
1428
1429 if client_metadata.token_endpoint_auth_method ~= "none" then 1423 if client_metadata.token_endpoint_auth_method ~= "none" then
1430 -- Ensure that each client_id JWT with a client_secret is unique. 1424 -- Ensure that each client_id JWT with a client_secret is unique.
1431 -- A short ID along with the issued at timestamp should be sufficient to 1425 -- A short ID along with the issued at timestamp should be sufficient to
1432 -- rule out brute force attacks. 1426 -- rule out brute force attacks.
1433 -- Not needed for public clients without a secret, but those are expected 1427 -- Not needed for public clients without a secret, but those are expected
1434 -- to be uncommon since they can only do the insecure implicit flow. 1428 -- to be uncommon since they can only do the insecure implicit flow.
1435 client_metadata.nonce = id.short(); 1429 client_metadata.nonce = id.short();
1436 1430 end
1437 local client_secret = make_client_secret(client_id, client_metadata); 1431
1432 -- Do we want to keep everything?
1433 local client_id = sign_client(client_metadata);
1434
1435 client_metadata.client_id = client_id;
1436 client_metadata.client_id_issued_at = os.time();
1437
1438 if client_metadata.token_endpoint_auth_method ~= "none" then
1439 local client_secret = make_client_secret(client_id);
1438 client_metadata.client_secret = client_secret; 1440 client_metadata.client_secret = client_secret;
1439 client_metadata.client_secret_expires_at = 0; 1441 client_metadata.client_secret_expires_at = 0;
1440 1442
1441 if not registration_options.accept_expired then 1443 if not registration_options.accept_expired then
1442 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); 1444 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);