Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5580:feadbd481285
mod_http_oauth2: Only add nonce when issuing a client_secret
Not as important that the client_id be unique if there's no
client_secret since the point was to make each issued client_secret
distinct.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 26 Jun 2023 00:19:05 +0200 |
| parents | 697d799fe601 |
| children | 7040d0772758 |
comparison
equal
deleted
inserted
replaced
| 5579:bc292c84f56c | 5580:feadbd481285 |
|---|---|
| 1016 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); | 1016 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); |
| 1017 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then | 1017 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then |
| 1018 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); | 1018 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); |
| 1019 end | 1019 end |
| 1020 | 1020 |
| 1021 -- Ensure each signed client_id JWT is unique, short ID and issued at | |
| 1022 -- timestamp should be sufficient to rule out brute force attacks | |
| 1023 client_metadata.nonce = id.short(); | |
| 1024 | |
| 1025 -- Do we want to keep everything? | 1021 -- Do we want to keep everything? |
| 1026 local client_id = sign_client(client_metadata); | 1022 local client_id = sign_client(client_metadata); |
| 1027 | 1023 |
| 1028 client_metadata.client_id = client_id; | 1024 client_metadata.client_id = client_id; |
| 1029 client_metadata.client_id_issued_at = os.time(); | 1025 client_metadata.client_id_issued_at = os.time(); |
| 1030 | 1026 |
| 1031 if client_metadata.token_endpoint_auth_method ~= "none" then | 1027 if client_metadata.token_endpoint_auth_method ~= "none" then |
| 1032 local client_secret = make_client_secret(client_id); | 1028 -- Ensure that each client_id JWT with a client_secret is unique. |
| 1029 -- A short ID along with the issued at timestamp should be sufficient to | |
| 1030 -- rule out brute force attacks. | |
| 1031 -- Not needed for public clients without a secret, but those are expected | |
| 1032 -- to be uncommon since they can only do the insecure implicit flow. | |
| 1033 client_metadata.nonce = id.short(); | |
| 1034 | |
| 1035 local client_secret = make_client_secret(client_id, client_metadata); | |
| 1033 client_metadata.client_secret = client_secret; | 1036 client_metadata.client_secret = client_secret; |
| 1034 client_metadata.client_secret_expires_at = 0; | 1037 client_metadata.client_secret_expires_at = 0; |
| 1035 | 1038 |
| 1036 if not registration_options.accept_expired then | 1039 if not registration_options.accept_expired then |
| 1037 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); | 1040 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); |