# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1682766589 -7200
# Node ID b40f29ec391a7bbda4abc1d19003e29ce99dfe31
# Parent  df11a2cbc7b743bb5927e106db9e927026297e82
mod_http_oauth2: Allow configuring PKCE challenge methods

You'd pretty much only want this to disable the 'plain' method, since it
doesn't seem to add that much security?

diff -r df11a2cbc7b7 -r b40f29ec391a mod_http_oauth2/README.markdown
--- a/mod_http_oauth2/README.markdown	Sat Apr 29 13:09:46 2023 +0200
+++ b/mod_http_oauth2/README.markdown	Sat Apr 29 13:09:49 2023 +0200
@@ -129,6 +129,15 @@
 oauth2_require_code_challenge = true
 ```
 
+Further, individual challenge methods can be enabled or disabled:
+
+```lua
+allowed_oauth2_code_challenge_methods = {
+    "plain"; -- the insecure one
+    "S256";
+}
+```
+
 ## Deployment notes
 
 ### Access management
diff -r df11a2cbc7b7 -r b40f29ec391a mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 29 13:09:46 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 29 13:09:49 2023 +0200
@@ -562,6 +562,16 @@
 	end
 end
 
+local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" })
+for handler_type in pairs(verifier_transforms) do
+	if not allowed_challenge_methods:contains(handler_type) then
+		module:log("debug", "Challenge method %q disabled", handler_type);
+		verifier_transforms[handler_type] = nil;
+	else
+		module:log("debug", "Challenge method %q enabled", handler_type);
+	end
+end
+
 function handle_token_grant(event)
 	local credentials = get_request_credentials(event.request);