Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5770:990c6adc4407
mod_http_oauth2: Move some code earlier
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 04 Dec 2023 21:07:54 +0100 |
| parents | a967bb4972c5 |
| children | 72799c330986 |
comparison
equal
deleted
inserted
replaced
| 5769:bb4335c8f500 | 5770:990c6adc4407 |
|---|---|
| 1418 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); | 1418 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); |
| 1419 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then | 1419 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then |
| 1420 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); | 1420 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); |
| 1421 end | 1421 end |
| 1422 | 1422 |
| 1423 -- Do we want to keep everything? | |
| 1424 local client_id = sign_client(client_metadata); | |
| 1425 | |
| 1426 client_metadata.client_id = client_id; | |
| 1427 client_metadata.client_id_issued_at = os.time(); | |
| 1428 | |
| 1429 if client_metadata.token_endpoint_auth_method ~= "none" then | 1423 if client_metadata.token_endpoint_auth_method ~= "none" then |
| 1430 -- Ensure that each client_id JWT with a client_secret is unique. | 1424 -- Ensure that each client_id JWT with a client_secret is unique. |
| 1431 -- A short ID along with the issued at timestamp should be sufficient to | 1425 -- A short ID along with the issued at timestamp should be sufficient to |
| 1432 -- rule out brute force attacks. | 1426 -- rule out brute force attacks. |
| 1433 -- Not needed for public clients without a secret, but those are expected | 1427 -- Not needed for public clients without a secret, but those are expected |
| 1434 -- to be uncommon since they can only do the insecure implicit flow. | 1428 -- to be uncommon since they can only do the insecure implicit flow. |
| 1435 client_metadata.nonce = id.short(); | 1429 client_metadata.nonce = id.short(); |
| 1436 | 1430 end |
| 1437 local client_secret = make_client_secret(client_id, client_metadata); | 1431 |
| 1432 -- Do we want to keep everything? | |
| 1433 local client_id = sign_client(client_metadata); | |
| 1434 | |
| 1435 client_metadata.client_id = client_id; | |
| 1436 client_metadata.client_id_issued_at = os.time(); | |
| 1437 | |
| 1438 if client_metadata.token_endpoint_auth_method ~= "none" then | |
| 1439 local client_secret = make_client_secret(client_id); | |
| 1438 client_metadata.client_secret = client_secret; | 1440 client_metadata.client_secret = client_secret; |
| 1439 client_metadata.client_secret_expires_at = 0; | 1441 client_metadata.client_secret_expires_at = 0; |
| 1440 | 1442 |
| 1441 if not registration_options.accept_expired then | 1443 if not registration_options.accept_expired then |
| 1442 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); | 1444 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); |