Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5406:b86d80e21c60
mod_http_oauth2: Validate consistency of response and grant types
Ensure that these correlated fields make sense per RFC 7591 ยง 2.1, even
though we currently only check the response type during authorization.
This could probably all be deleted if (when!) we remove the implicit
grant, since then these things don't make any sense anymore.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 May 2023 16:34:31 +0200 |
| parents | c7a5caad28ef |
| children | 149634647b48 |
comparison
equal
deleted
inserted
replaced
| 5405:c7a5caad28ef | 5406:b86d80e21c60 |
|---|---|
| 787 -- Localized URIs should be secure too | 787 -- Localized URIs should be secure too |
| 788 if not redirect_uri_allowed(v, client_uri, "web") then | 788 if not redirect_uri_allowed(v, client_uri, "web") then |
| 789 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); | 789 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); |
| 790 end | 790 end |
| 791 end | 791 end |
| 792 end | |
| 793 | |
| 794 local grant_types = set.new(client_metadata.grant_types); | |
| 795 local response_types = set.new(client_metadata.response_types); | |
| 796 | |
| 797 if grant_types:contains("authorization_code") and not response_types:contains("code") then | |
| 798 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); | |
| 799 elseif grant_types:contains("implicit") and not response_types:contains("token") then | |
| 800 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); | |
| 801 end | |
| 802 | |
| 803 if set.intersection(grant_types, allowed_grant_type_handlers):empty() then | |
| 804 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); | |
| 805 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then | |
| 806 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); | |
| 792 end | 807 end |
| 793 | 808 |
| 794 -- Ensure each signed client_id JWT is unique, short ID and issued at | 809 -- Ensure each signed client_id JWT is unique, short ID and issued at |
| 795 -- timestamp should be sufficient to rule out brute force attacks | 810 -- timestamp should be sufficient to rule out brute force attacks |
| 796 client_metadata.nonce = id.short(); | 811 client_metadata.nonce = id.short(); |