comparison mod_http_oauth2/mod_http_oauth2.lua @ 5366:db4c66a1d24b

mod_http_oauth2: Fill in some client metadata defaults Explicit > Implicit Maybe we should actually use these for something as well? :) It's is somewhat an open question of how strictly we should enforce things in the client metadata given that it is somewhat extensible. Especially some of these enum fields which have corresponding IANA registries.
author Kim Alvefur <zash@zash.se>
date Tue, 25 Apr 2023 18:09:08 +0200
parents 698fef74ce53
children 93d445b26063
comparison
equal deleted inserted replaced
5365:698fef74ce53 5366:db4c66a1d24b
638 -- We need at least one redirect URI for things to work 638 -- We need at least one redirect URI for things to work
639 "redirect_uris"; 639 "redirect_uris";
640 }; 640 };
641 properties = { 641 properties = {
642 redirect_uris = { type = "array"; minLength = 1; items = { type = "string"; format = "uri" } }; 642 redirect_uris = { type = "array"; minLength = 1; items = { type = "string"; format = "uri" } };
643 token_endpoint_auth_method = { type = "string"; enum = { "none"; "client_secret_post"; "client_secret_basic" } }; 643 token_endpoint_auth_method = { type = "string"; enum = { "none"; "client_secret_post"; "client_secret_basic"; default = "client_secret_basic" } };
644 grant_types = { 644 grant_types = {
645 type = "array"; 645 type = "array";
646 items = { 646 items = {
647 type = "string"; 647 type = "string";
648 enum = { 648 enum = {
653 "refresh_token"; 653 "refresh_token";
654 "urn:ietf:params:oauth:grant-type:jwt-bearer"; 654 "urn:ietf:params:oauth:grant-type:jwt-bearer";
655 "urn:ietf:params:oauth:grant-type:saml2-bearer"; 655 "urn:ietf:params:oauth:grant-type:saml2-bearer";
656 }; 656 };
657 }; 657 };
658 }; 658 default = { "authorization_code" };
659 response_types = { type = "array"; items = { type = "string"; enum = { "code"; "token" } } }; 659 };
660 response_types = { type = "array"; items = { type = "string"; enum = { "code"; "token" } }; default = { "code" } };
660 client_name = { type = "string" }; 661 client_name = { type = "string" };
661 client_uri = { type = "string"; format = "uri"; luaPattern = "^https:" }; 662 client_uri = { type = "string"; format = "uri"; luaPattern = "^https:" };
662 logo_uri = { type = "string"; format = "uri"; luaPattern = "^https:" }; 663 logo_uri = { type = "string"; format = "uri"; luaPattern = "^https:" };
663 scope = { type = "string" }; 664 scope = { type = "string" };
664 contacts = { type = "array"; items = { type = "string" } }; 665 contacts = { type = "array"; items = { type = "string" } };
677 } 678 }
678 679
679 function create_client(client_metadata) 680 function create_client(client_metadata)
680 if not schema.validate(registration_schema, client_metadata) then 681 if not schema.validate(registration_schema, client_metadata) then
681 return nil, oauth_error("invalid_request", "Failed schema validation."); 682 return nil, oauth_error("invalid_request", "Failed schema validation.");
683 end
684
685 -- Fill in default values
686 for propname, propspec in pairs(registration_schema.properties) do
687 if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then
688 client_metadata[propname] = propspec.default;
689 end
682 end 690 end
683 691
684 local client_uri = url.parse(client_metadata.client_uri); 692 local client_uri = url.parse(client_metadata.client_uri);
685 if not client_uri or client_uri.scheme ~= "https" then 693 if not client_uri or client_uri.scheme ~= "https" then
686 return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri"); 694 return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri");