comparison mod_http_oauth2/mod_http_oauth2.lua @ 5633:dd2079b3dec6

mod_http_oauth2: Allow omitting application type for native apps This derives "application_type":"native" from the first redirect URI when registering a client, so that it can be omitted without the default value of "web" causing the very same redirect URIs to be rejected.
author Kim Alvefur <zash@zash.se>
date Wed, 16 Aug 2023 23:56:40 +0200
parents ef0a283507c9
children 7c105277a9ca
comparison
equal deleted inserted replaced
5632:1571c280aaef 5633:dd2079b3dec6
1234 function create_client(client_metadata) 1234 function create_client(client_metadata)
1235 if not schema.validate(registration_schema, client_metadata) then 1235 if not schema.validate(registration_schema, client_metadata) then
1236 return nil, oauth_error("invalid_request", "Failed schema validation."); 1236 return nil, oauth_error("invalid_request", "Failed schema validation.");
1237 end 1237 end
1238 1238
1239 local client_uri = url.parse(client_metadata.client_uri);
1240 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
1241 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
1242 end
1243
1244 if not client_metadata.application_type and redirect_uri_allowed(client_metadata.redirect_uris[1], client_uri, "native") then
1245 client_metadata.application_type = "native";
1246 -- else defaults to "web"
1247 end
1248
1239 -- Fill in default values 1249 -- Fill in default values
1240 for propname, propspec in pairs(registration_schema.properties) do 1250 for propname, propspec in pairs(registration_schema.properties) do
1241 if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then 1251 if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then
1242 client_metadata[propname] = propspec.default; 1252 client_metadata[propname] = propspec.default;
1243 end 1253 end
1246 -- MUST ignore any metadata that it does not understand 1256 -- MUST ignore any metadata that it does not understand
1247 for propname in pairs(client_metadata) do 1257 for propname in pairs(client_metadata) do
1248 if not registration_schema.properties[propname] then 1258 if not registration_schema.properties[propname] then
1249 client_metadata[propname] = nil; 1259 client_metadata[propname] = nil;
1250 end 1260 end
1251 end
1252
1253 local client_uri = url.parse(client_metadata.client_uri);
1254 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
1255 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
1256 end 1261 end
1257 1262
1258 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do 1263 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
1259 if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then 1264 if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then
1260 return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI."); 1265 return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI.");