Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5518:d87d0e4a8516
mod_http_oauth2: Validate the OpenID 'prompt' parameter
Without support for affecting the login and consent procedure, it seems
sensible to inform the client that they can't change anything with this
parameter.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 05 Jun 2023 22:19:17 +0200 |
parents | 61b8d3eb91a4 |
children | 83ebfc367169 |
comparison
equal
deleted
inserted
replaced
5517:a08abbd1045d | 5518:d87d0e4a8516 |
---|---|
772 if client.scope then | 772 if client.scope then |
773 local client_scopes = set.new(parse_scopes(client.scope)); | 773 local client_scopes = set.new(parse_scopes(client.scope)); |
774 requested_scopes:filter(function(scope) | 774 requested_scopes:filter(function(scope) |
775 return client_scopes:contains(scope); | 775 return client_scopes:contains(scope); |
776 end); | 776 end); |
777 end | |
778 | |
779 -- The 'prompt' parameter from OpenID Core | |
780 local prompt = set.new(parse_scopes(params.prompt or "select_account login consent")); | |
781 if prompt:contains("none") then | |
782 -- Client wants no interaction, only confirmation of prior login and | |
783 -- consent, but this is not implemented. | |
784 return error_response(request, redirect_uri, oauth_error("interaction_required")); | |
785 elseif not prompt:contains("select_account") then | |
786 -- TODO If the login page is split into account selection followed by login | |
787 -- (e.g. password), and then the account selection could be skipped iff the | |
788 -- 'login_hint' parameter is present. | |
789 return error_response(request, redirect_uri, oauth_error("account_selection_required")); | |
790 elseif not prompt:contains("login") then | |
791 -- Currently no cookies or such are used, so login is required every time. | |
792 return error_response(request, redirect_uri, oauth_error("login_required")); | |
793 elseif not prompt:contains("consent") then | |
794 -- Are there any circumstances when consent would be implied or assumed? | |
795 return error_response(request, redirect_uri, oauth_error("consent_required")); | |
777 end | 796 end |
778 | 797 |
779 local auth_state = get_auth_state(request); | 798 local auth_state = get_auth_state(request); |
780 if not auth_state.user then | 799 if not auth_state.user then |
781 -- Render login page | 800 -- Render login page |