comparison mod_http_oauth2/mod_http_oauth2.lua @ 5626:a44af1b646f5

mod_http_oauth2: Optionally enforce authentication on revocation endpoint But why do OAuth require this? If a token leaks, why couldn't anyone revoke it?
author Kim Alvefur <zash@zash.se>
date Mon, 31 Jul 2023 02:07:58 +0200
parents 81042c2a235a
children 9aace51c3637
comparison
equal deleted inserted replaced
5625:e86a1018cdb3 5626:a44af1b646f5
1039 }); 1039 });
1040 }; 1040 };
1041 } 1041 }
1042 end 1042 end
1043 1043
1044 local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false);
1045
1044 local function handle_revocation_request(event) 1046 local function handle_revocation_request(event)
1045 local request, response = event.request, event.response; 1047 local request, response = event.request, event.response;
1046 response.headers.cache_control = "no-store"; 1048 response.headers.cache_control = "no-store";
1047 response.headers.pragma = "no-cache"; 1049 response.headers.pragma = "no-cache";
1048 if request.headers.authorization then 1050 if request.headers.authorization then
1053 end 1055 end
1054 -- OAuth "client" credentials 1056 -- OAuth "client" credentials
1055 if not verify_client_secret(credentials.username, credentials.password) then 1057 if not verify_client_secret(credentials.username, credentials.password) then
1056 return 401; 1058 return 401;
1057 end 1059 end
1060 -- TODO check that it's their token I guess?
1061 elseif strict_auth_revoke then
1062 -- Why require auth to revoke a leaked token?
1063 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
1064 return 401;
1058 end 1065 end
1059 1066
1060 local form_data = strict_formdecode(event.request.body); 1067 local form_data = strict_formdecode(event.request.body);
1061 if not form_data or not form_data.token then 1068 if not form_data or not form_data.token then
1062 response.headers.accept = "application/x-www-form-urlencoded"; 1069 response.headers.accept = "application/x-www-form-urlencoded";