# HG changeset patch # User Kim Alvefur # Date 1701720474 -3600 # Node ID 990c6adc44079dfab1858a9ee8a3f6b6ad27d045 # Parent bb4335c8f5007931ee53e2f8da520cc07668b44e mod_http_oauth2: Move some code earlier diff -r bb4335c8f500 -r 990c6adc4407 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Mon Dec 04 00:23:19 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Dec 04 21:07:54 2023 +0100 @@ -1420,6 +1420,15 @@ return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); end + if client_metadata.token_endpoint_auth_method ~= "none" then + -- Ensure that each client_id JWT with a client_secret is unique. + -- A short ID along with the issued at timestamp should be sufficient to + -- rule out brute force attacks. + -- Not needed for public clients without a secret, but those are expected + -- to be uncommon since they can only do the insecure implicit flow. + client_metadata.nonce = id.short(); + end + -- Do we want to keep everything? local client_id = sign_client(client_metadata); @@ -1427,14 +1436,7 @@ client_metadata.client_id_issued_at = os.time(); if client_metadata.token_endpoint_auth_method ~= "none" then - -- Ensure that each client_id JWT with a client_secret is unique. - -- A short ID along with the issued at timestamp should be sufficient to - -- rule out brute force attacks. - -- Not needed for public clients without a secret, but those are expected - -- to be uncommon since they can only do the insecure implicit flow. - client_metadata.nonce = id.short(); - - local client_secret = make_client_secret(client_id, client_metadata); + local client_secret = make_client_secret(client_id); client_metadata.client_secret = client_secret; client_metadata.client_secret_expires_at = 0;