diff mod_http_oauth2/mod_http_oauth2.lua @ 5633:dd2079b3dec6

mod_http_oauth2: Allow omitting application type for native apps This derives "application_type":"native" from the first redirect URI when registering a client, so that it can be omitted without the default value of "web" causing the very same redirect URIs to be rejected.
author Kim Alvefur <zash@zash.se>
date Wed, 16 Aug 2023 23:56:40 +0200
parents ef0a283507c9
children 7c105277a9ca
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Wed Aug 16 11:17:28 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed Aug 16 23:56:40 2023 +0200
@@ -1236,6 +1236,16 @@
 		return nil, oauth_error("invalid_request", "Failed schema validation.");
 	end
 
+	local client_uri = url.parse(client_metadata.client_uri);
+	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
+		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
+	end
+
+	if not client_metadata.application_type and redirect_uri_allowed(client_metadata.redirect_uris[1], client_uri, "native") then
+		client_metadata.application_type = "native";
+		-- else defaults to "web"
+	end
+
 	-- Fill in default values
 	for propname, propspec in pairs(registration_schema.properties) do
 		if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then
@@ -1250,11 +1260,6 @@
 		end
 	end
 
-	local client_uri = url.parse(client_metadata.client_uri);
-	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
-		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
-	end
-
 	for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
 		if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then
 			return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI.");