comparison mod_http_oauth2/mod_http_oauth2.lua @ 5518:d87d0e4a8516

mod_http_oauth2: Validate the OpenID 'prompt' parameter Without support for affecting the login and consent procedure, it seems sensible to inform the client that they can't change anything with this parameter.
author Kim Alvefur <zash@zash.se>
date Mon, 05 Jun 2023 22:19:17 +0200
parents 61b8d3eb91a4
children 83ebfc367169
comparison
equal deleted inserted replaced
5517:a08abbd1045d 5518:d87d0e4a8516
772 if client.scope then 772 if client.scope then
773 local client_scopes = set.new(parse_scopes(client.scope)); 773 local client_scopes = set.new(parse_scopes(client.scope));
774 requested_scopes:filter(function(scope) 774 requested_scopes:filter(function(scope)
775 return client_scopes:contains(scope); 775 return client_scopes:contains(scope);
776 end); 776 end);
777 end
778
779 -- The 'prompt' parameter from OpenID Core
780 local prompt = set.new(parse_scopes(params.prompt or "select_account login consent"));
781 if prompt:contains("none") then
782 -- Client wants no interaction, only confirmation of prior login and
783 -- consent, but this is not implemented.
784 return error_response(request, redirect_uri, oauth_error("interaction_required"));
785 elseif not prompt:contains("select_account") then
786 -- TODO If the login page is split into account selection followed by login
787 -- (e.g. password), and then the account selection could be skipped iff the
788 -- 'login_hint' parameter is present.
789 return error_response(request, redirect_uri, oauth_error("account_selection_required"));
790 elseif not prompt:contains("login") then
791 -- Currently no cookies or such are used, so login is required every time.
792 return error_response(request, redirect_uri, oauth_error("login_required"));
793 elseif not prompt:contains("consent") then
794 -- Are there any circumstances when consent would be implied or assumed?
795 return error_response(request, redirect_uri, oauth_error("consent_required"));
777 end 796 end
778 797
779 local auth_state = get_auth_state(request); 798 local auth_state = get_auth_state(request);
780 if not auth_state.user then 799 if not auth_state.user then
781 -- Render login page 800 -- Render login page