Mercurial > prosody-modules
diff mod_http_oauth2/mod_http_oauth2.lua @ 5512:1fbc8718bed6
mod_http_oauth2: Bind refresh tokens to client
Prevent one OAuth client from using the refresh tokens issued to another
client as required by RFC 6819 section 5.2.2.2
See also draft-ietf-oauth-security-topics-22 section 2.2.2
Thanks to OAuch for pointing out this issue
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 02 Jun 2023 10:40:48 +0200 |
parents | 0860497152af |
children | 0005d4201030 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 02 10:14:16 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 02 10:40:48 2023 +0200 @@ -480,6 +480,13 @@ return oauth_error("invalid_grant", "invalid refresh token"); end + local refresh_token_client = refresh_token_info.grant.data.oauth2_client; + if not refresh_token_client.hash or refresh_token_client.hash ~= client.client_hash then + module:log("warn", "OAuth client %q (%s) tried to use refresh token belonging to %q (%s)", client.client_name, client.client_hash, + refresh_token_client.name, refresh_token_client.hash); + return oauth_error("unauthorized_client", "incorrect credentials"); + end + local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; if params.scope then