Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5402:fbf3ede7541b
mod_http_oauth2: More appropriate error conditions in client validation
Specified in RFC7591 for these kinds of issues.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:22:17 +0200 |
parents | c8d04ac200fc |
children | c574aaaa4d57 |
comparison
equal
deleted
inserted
replaced
5401:c8d04ac200fc | 5402:fbf3ede7541b |
---|---|
753 end | 753 end |
754 end | 754 end |
755 | 755 |
756 local client_uri = url.parse(client_metadata.client_uri); | 756 local client_uri = url.parse(client_metadata.client_uri); |
757 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then | 757 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then |
758 return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri"); | 758 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri"); |
759 end | 759 end |
760 | 760 |
761 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do | 761 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do |
762 if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then | 762 if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then |
763 return nil, oauth_error("invalid_request", "Invalid, insecure or inappropriate redirect URI."); | 763 return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI."); |
764 end | 764 end |
765 end | 765 end |
766 | 766 |
767 for field, prop_schema in pairs(registration_schema.properties) do | 767 for field, prop_schema in pairs(registration_schema.properties) do |
768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then | 768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then |
769 local components = url.parse(client_metadata[field]); | 769 local components = url.parse(client_metadata[field]); |
770 if components.scheme ~= "https" then | 770 if components.scheme ~= "https" then |
771 return nil, oauth_error("invalid_request", "Insecure URI forbidden"); | 771 return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden"); |
772 end | 772 end |
773 if components.authority ~= client_uri.authority then | 773 if components.authority ~= client_uri.authority then |
774 return nil, oauth_error("invalid_request", "Informative URIs must have the same hostname"); | 774 return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname"); |
775 end | 775 end |
776 end | 776 end |
777 end | 777 end |
778 | 778 |
779 -- Localized URIs should be secure too | 779 -- Localized URIs should be secure too |
780 for k, v in pairs(client_metadata) do | 780 for k, v in pairs(client_metadata) do |
781 if k:find"_uri#" then | 781 if k:find"_uri#" then |
782 local uri = url.parse(v); | 782 local uri = url.parse(v); |
783 if not uri or uri.scheme ~= "https" then | 783 if not uri or uri.scheme ~= "https" then |
784 return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k); | 784 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k); |
785 elseif uri.host ~= client_uri.host then | 785 elseif uri.host ~= client_uri.host then |
786 return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri"); | 786 return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri"); |
787 end | 787 end |
788 end | 788 end |
789 end | 789 end |
790 | 790 |
791 -- Ensure each signed client_id JWT is unique, short ID and issued at | 791 -- Ensure each signed client_id JWT is unique, short ID and issued at |