# HG changeset patch # User Kim Alvefur # Date 1687216294 -7200 # Node ID d7fb8b266663e4bd5df6facad07d1fa971c27a8a # Parent 3276750332eacd27a9b3ee47336e1255fbad3183 mod_http_oauth2: Strip unknown client metadata Per RFC 7591 > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). This was previously done but unintentionally removed in 90449babaa48 diff -r 3276750332ea -r d7fb8b266663 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Mon Jun 19 01:26:56 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Jun 20 01:11:34 2023 +0200 @@ -979,6 +979,13 @@ end end + -- MUST ignore any metadata that it does not understand + for propname in pairs(client_metadata) do + if not registration_schema.properties[propname] then + client_metadata[propname] = nil; + end + end + local client_uri = url.parse(client_metadata.client_uri); if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");