diff mod_http_oauth2/mod_http_oauth2.lua @ 5770:990c6adc4407

mod_http_oauth2: Move some code earlier
author Kim Alvefur <zash@zash.se>
date Mon, 04 Dec 2023 21:07:54 +0100
parents a967bb4972c5
children 72799c330986
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Dec 04 00:23:19 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Dec 04 21:07:54 2023 +0100
@@ -1420,6 +1420,15 @@
 		return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified");
 	end
 
+	if client_metadata.token_endpoint_auth_method ~= "none" then
+		-- Ensure that each client_id JWT with a client_secret is unique.
+		-- A short ID along with the issued at timestamp should be sufficient to
+		-- rule out brute force attacks.
+		-- Not needed for public clients without a secret, but those are expected
+		-- to be uncommon since they can only do the insecure implicit flow.
+		client_metadata.nonce = id.short();
+	end
+
 	-- Do we want to keep everything?
 	local client_id = sign_client(client_metadata);
 
@@ -1427,14 +1436,7 @@
 	client_metadata.client_id_issued_at = os.time();
 
 	if client_metadata.token_endpoint_auth_method ~= "none" then
-		-- Ensure that each client_id JWT with a client_secret is unique.
-		-- A short ID along with the issued at timestamp should be sufficient to
-		-- rule out brute force attacks.
-		-- Not needed for public clients without a secret, but those are expected
-		-- to be uncommon since they can only do the insecure implicit flow.
-		client_metadata.nonce = id.short();
-
-		local client_secret = make_client_secret(client_id, client_metadata);
+		local client_secret = make_client_secret(client_id);
 		client_metadata.client_secret = client_secret;
 		client_metadata.client_secret_expires_at = 0;