Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5246:fd0d25b42cd9
mod_http_oauth2: Validate all URIs against client_uri in client registration
Validating against all redirect URIs didn't work for OOB-only clients,
which happens to be what I was testing with.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 12 Mar 2023 12:06:44 +0100 |
| parents | e22cae58141d |
| children | dc27b997e969 |
comparison
equal
deleted
inserted
replaced
| 5245:e22cae58141d | 5246:fd0d25b42cd9 |
|---|---|
| 598 | 598 |
| 599 if not schema.validate(registration_schema, client_metadata) then | 599 if not schema.validate(registration_schema, client_metadata) then |
| 600 return oauth_error("invalid_request", "Failed schema validation."); | 600 return oauth_error("invalid_request", "Failed schema validation."); |
| 601 end | 601 end |
| 602 | 602 |
| 603 local redirect_hosts = set.new(); | 603 local client_uri = url.parse(client_metadata.client_uri); |
| 604 if not client_uri or client_uri.scheme ~= "https" then | |
| 605 return oauth_error("invalid_request", "Missing, invalid or insecure client_uri"); | |
| 606 end | |
| 607 | |
| 604 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do | 608 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do |
| 605 local components = url.parse(redirect_uri); | 609 local components = url.parse(redirect_uri); |
| 606 if not components or not components.scheme then | 610 if not components or not components.scheme then |
| 607 return oauth_error("invalid_request", "Invalid redirect URI."); | 611 return oauth_error("invalid_request", "Invalid redirect URI."); |
| 608 elseif components.scheme == "http" and components.host ~= "localhost" then | 612 elseif components.scheme == "http" and components.host ~= "localhost" then |
| 609 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); | 613 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); |
| 610 elseif components.scheme == "https" then | 614 elseif components.scheme == "https" and components.host ~= client_uri.host then |
| 611 redirect_hosts:add(components.host); | 615 return oauth_error("invalid_request", "Redirects must use the same hostname as client_uri"); |
| 612 end | 616 end |
| 613 end | 617 end |
| 614 | 618 |
| 615 for field, prop_schema in pairs(registration_schema.properties) do | 619 for field, prop_schema in pairs(registration_schema.properties) do |
| 616 if prop_schema.format == "uri" and client_metadata[field] then | 620 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then |
| 617 local components = url.parse(client_metadata[field]); | 621 local components = url.parse(client_metadata[field]); |
| 618 if components.scheme ~= "https" then | 622 if components.scheme ~= "https" then |
| 619 return oauth_error("invalid_request", "Insecure URI forbidden"); | 623 return oauth_error("invalid_request", "Insecure URI forbidden"); |
| 620 end | 624 end |
| 621 if not redirect_hosts:contains(components.host) then | 625 if components.authority ~= client_uri.authority then |
| 622 return oauth_error("invalid_request", "Informative URI must match redirect URIs"); | 626 return oauth_error("invalid_request", "Informative URIs must have the same hostname"); |
| 623 end | 627 end |
| 624 end | 628 end |
| 625 end | 629 end |
| 626 | 630 |
| 627 -- Ensure each signed client_id JWT is unique, short ID and issued at | 631 -- Ensure each signed client_id JWT is unique, short ID and issued at |