# HG changeset patch # User Kim Alvefur # Date 1690762078 -7200 # Node ID a44af1b646f534de42f93d140dade17e94bf8dff # Parent e86a1018cdb353ad879d79f161deae477ad2848a mod_http_oauth2: Optionally enforce authentication on revocation endpoint But why do OAuth require this? If a token leaks, why couldn't anyone revoke it? diff -r e86a1018cdb3 -r a44af1b646f5 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Mon Jul 31 02:07:24 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jul 31 02:07:58 2023 +0200 @@ -1041,6 +1041,8 @@ } end +local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false); + local function handle_revocation_request(event) local request, response = event.request, event.response; response.headers.cache_control = "no-store"; @@ -1055,6 +1057,11 @@ if not verify_client_secret(credentials.username, credentials.password) then return 401; end + -- TODO check that it's their token I guess? + elseif strict_auth_revoke then + -- Why require auth to revoke a leaked token? + response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); + return 401; end local form_data = strict_formdecode(event.request.body);