# HG changeset patch # User Kim Alvefur # Date 1683038071 -7200 # Node ID b86d80e21c60ac8497d81e7d8e249cd47e5b1e81 # Parent c7a5caad28ef6df3e1ce08d7d8af5a65b48c15b8 mod_http_oauth2: Validate consistency of response and grant types Ensure that these correlated fields make sense per RFC 7591 ยง 2.1, even though we currently only check the response type during authorization. This could probably all be deleted if (when!) we remove the implicit grant, since then these things don't make any sense anymore. diff -r c7a5caad28ef -r b86d80e21c60 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:31:25 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:34:31 2023 +0200 @@ -791,6 +791,21 @@ end end + local grant_types = set.new(client_metadata.grant_types); + local response_types = set.new(client_metadata.response_types); + + if grant_types:contains("authorization_code") and not response_types:contains("code") then + return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); + elseif grant_types:contains("implicit") and not response_types:contains("token") then + return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); + end + + if set.intersection(grant_types, allowed_grant_type_handlers):empty() then + return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); + elseif set.intersection(response_types, allowed_response_type_handlers):empty() then + return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); + end + -- Ensure each signed client_id JWT is unique, short ID and issued at -- timestamp should be sufficient to rule out brute force attacks client_metadata.nonce = id.short();