Mercurial > prosody-modules
diff mod_http_oauth2/mod_http_oauth2.lua @ 5407:149634647b48
mod_http_oauth2: Don't issue client_secret when not using authentication
This is pretty much only for implicit flow, which is considered insecure
anyway, so this is of limited value. If we delete all the implicit flow
code, this could be reverted.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:39:32 +0200 |
parents | b86d80e21c60 |
children | 3989c57cc551 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:34:31 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:39:32 2023 +0200 @@ -812,15 +812,18 @@ -- Do we want to keep everything? local client_id = jwt_sign(client_metadata); - local client_secret = make_client_secret(client_id); client_metadata.client_id = client_id; - client_metadata.client_secret = client_secret; client_metadata.client_id_issued_at = os.time(); - client_metadata.client_secret_expires_at = 0; - if not registration_options.accept_expired then - client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); + if client_metadata.token_endpoint_auth_method ~= "none" then + local client_secret = make_client_secret(client_id); + client_metadata.client_secret = client_secret; + client_metadata.client_secret_expires_at = 0; + + if not registration_options.accept_expired then + client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); + end end return client_metadata;