diff mod_http_oauth2/mod_http_oauth2.lua @ 5559:d7fb8b266663

mod_http_oauth2: Strip unknown client metadata Per RFC 7591 > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). This was previously done but unintentionally removed in 90449babaa48
author Kim Alvefur <zash@zash.se>
date Tue, 20 Jun 2023 01:11:34 +0200
parents 90449babaa48
children 697d799fe601
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Jun 19 01:26:56 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Jun 20 01:11:34 2023 +0200
@@ -979,6 +979,13 @@
 		end
 	end
 
+	-- MUST ignore any metadata that it does not understand
+	for propname in pairs(client_metadata) do
+		if not registration_schema.properties[propname] then
+			client_metadata[propname] = nil;
+		end
+	end
+
 	local client_uri = url.parse(client_metadata.client_uri);
 	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
 		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");