# HG changeset patch # User Kim Alvefur # Date 1682766589 -7200 # Node ID b40f29ec391a7bbda4abc1d19003e29ce99dfe31 # Parent df11a2cbc7b743bb5927e106db9e927026297e82 mod_http_oauth2: Allow configuring PKCE challenge methods You'd pretty much only want this to disable the 'plain' method, since it doesn't seem to add that much security? diff -r df11a2cbc7b7 -r b40f29ec391a mod_http_oauth2/README.markdown --- a/mod_http_oauth2/README.markdown Sat Apr 29 13:09:46 2023 +0200 +++ b/mod_http_oauth2/README.markdown Sat Apr 29 13:09:49 2023 +0200 @@ -129,6 +129,15 @@ oauth2_require_code_challenge = true ``` +Further, individual challenge methods can be enabled or disabled: + +```lua +allowed_oauth2_code_challenge_methods = { + "plain"; -- the insecure one + "S256"; +} +``` + ## Deployment notes ### Access management diff -r df11a2cbc7b7 -r b40f29ec391a mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 29 13:09:46 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 29 13:09:49 2023 +0200 @@ -562,6 +562,16 @@ end end +local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" }) +for handler_type in pairs(verifier_transforms) do + if not allowed_challenge_methods:contains(handler_type) then + module:log("debug", "Challenge method %q disabled", handler_type); + verifier_transforms[handler_type] = nil; + else + module:log("debug", "Challenge method %q enabled", handler_type); + end +end + function handle_token_grant(event) local credentials = get_request_credentials(event.request);