comparison mod_http_oauth2/mod_http_oauth2.lua @ 5405:c7a5caad28ef

mod_http_oauth2: Enforce response type encoded in client_id The client promises to only use this response type, so we should hold them to that. This makes it fail earlier if the response type is disabled or the client is trying to use one that it promised not to use. Better than failing after login and consent.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:31:25 +0200
parents 1087f697c3f3
children b86d80e21c60
comparison
equal deleted inserted replaced
5404:1087f697c3f3 5405:c7a5caad28ef
616 616
617 local ok, client = jwt_verify(params.client_id); 617 local ok, client = jwt_verify(params.client_id);
618 618
619 if not ok then 619 if not ok then
620 return oauth_error("invalid_client", "incorrect credentials"); 620 return oauth_error("invalid_client", "incorrect credentials");
621 end
622
623 local client_response_types = set.new(array(client.response_types or { "code" }));
624 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers);
625 if not client_response_types:contains(params.response_type) then
626 return oauth_error("invalid_client", "response_type not allowed");
621 end 627 end
622 628
623 local auth_state = get_auth_state(request); 629 local auth_state = get_auth_state(request);
624 if not auth_state.user then 630 if not auth_state.user then
625 -- Render login page 631 -- Render login page