Mercurial > prosody-modules

diff mod_http_oauth2/mod_http_oauth2.lua @ 5465:66e13e79928b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Note about partial OpenID Discovery implementation Notably we don't have an JSON Web Key Set, since we use the client secret in the HS256 algorithm.
author Kim Alvefur <zash@zash.se>
date Wed, 17 May 2023 17:56:56 +0200
parents dacde53467f3
children 398d936e77fb
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Wed May 17 17:38:18 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed May 17 17:56:56 2023 +0200
@@ -1074,7 +1074,6 @@
 				issuer = get_issuer();
 				authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil;
 				token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil;
-				jwks_uri = nil; -- TODO?
 				registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil;
 				scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):append(array(openid_claims:items()));
 				response_types_supported = array(it.keys(response_type_handlers));
@@ -1091,7 +1090,8 @@
 
 				-- OpenID
 				userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil;
-				id_token_signing_alg_values_supported = { "HS256" };
+				jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata
+				id_token_signing_alg_values_supported = { "HS256" }; -- The algorithm RS256 MUST be included, but we use HS256 and client_secret as shared key.
 			};
 		};
 	};