# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1685695248 -7200
# Node ID 1fbc8718bed6c9411480382ccdc3b72a0323dc2d
# Parent  0860497152af1e2d2204bb0bcc31ba15d217c8e7
mod_http_oauth2: Bind refresh tokens to client

Prevent one OAuth client from using the refresh tokens issued to another
client as required by RFC 6819 section 5.2.2.2

See also draft-ietf-oauth-security-topics-22 section 2.2.2

Thanks to OAuch for pointing out this issue

diff -r 0860497152af -r 1fbc8718bed6 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Jun 02 10:14:16 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri Jun 02 10:40:48 2023 +0200
@@ -480,6 +480,13 @@
 		return oauth_error("invalid_grant", "invalid refresh token");
 	end
 
+	local refresh_token_client = refresh_token_info.grant.data.oauth2_client;
+	if not refresh_token_client.hash or refresh_token_client.hash ~= client.client_hash then
+		module:log("warn", "OAuth client %q (%s) tried to use refresh token belonging to %q (%s)", client.client_name, client.client_hash,
+			refresh_token_client.name, refresh_token_client.hash);
+		return oauth_error("unauthorized_client", "incorrect credentials");
+	end
+
 	local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes;
 
 	if params.scope then