diff mod_http_oauth2/mod_http_oauth2.lua @ 5187:6a3c1febd7be

mod_http_oauth2: Add settings for allowed grant and response types So that you can opt-in to the insecure methods...
author Kim Alvefur <zash@zash.se>
date Thu, 02 Mar 2023 23:57:29 +0100
parents fa3059e653fa
children 7c531137a553
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 02 22:06:50 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 02 23:57:29 2023 +0100
@@ -253,6 +253,21 @@
 	check_credentials = function () return false end
 end
 
+local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"})
+for handler_type in pairs(grant_type_handlers) do
+	if not allowed_grant_type_handlers:contains(handler_type) then
+		grant_type_handlers[handler_type] = nil;
+	end
+end
+
+-- "token" aka implicit flow is considered insecure
+local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"})
+for handler_type in pairs(allowed_response_type_handlers) do
+	if not allowed_grant_type_handlers:contains(handler_type) then
+		grant_type_handlers[handler_type] = nil;
+	end
+end
+
 function handle_token_grant(event)
 	event.response.headers.content_type = "application/json";
 	local params = http.formdecode(event.request.body);