# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1678619204 -3600
# Node ID fd0d25b42cd9aabdf15d94466d3b5010b8d8ead8
# Parent  e22cae58141db095aaaffaa55c916f34829b0d36
mod_http_oauth2: Validate all URIs against client_uri in client registration

Validating against all redirect URIs didn't work for OOB-only clients,
which happens to be what I was testing with.

diff -r e22cae58141d -r fd0d25b42cd9 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Mar 12 11:27:29 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Mar 12 12:06:44 2023 +0100
@@ -600,26 +600,30 @@
 		return oauth_error("invalid_request", "Failed schema validation.");
 	end
 
-	local redirect_hosts = set.new();
+	local client_uri = url.parse(client_metadata.client_uri);
+	if not client_uri or client_uri.scheme ~= "https" then
+		return oauth_error("invalid_request", "Missing, invalid or insecure client_uri");
+	end
+
 	for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
 		local components = url.parse(redirect_uri);
 		if not components or not components.scheme then
 			return oauth_error("invalid_request", "Invalid redirect URI.");
 		elseif components.scheme == "http" and components.host ~= "localhost" then
 			return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)");
-		elseif components.scheme == "https" then
-			redirect_hosts:add(components.host);
+		elseif components.scheme == "https" and components.host ~= client_uri.host then
+			return oauth_error("invalid_request", "Redirects must use the same hostname as client_uri");
 		end
 	end
 
 	for field, prop_schema in pairs(registration_schema.properties) do
-		if prop_schema.format == "uri" and client_metadata[field] then
+		if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then
 			local components = url.parse(client_metadata[field]);
 			if components.scheme ~= "https" then
 				return oauth_error("invalid_request", "Insecure URI forbidden");
 			end
-			if not redirect_hosts:contains(components.host) then
-				return oauth_error("invalid_request", "Informative URI must match redirect URIs");
+			if components.authority ~= client_uri.authority then
+				return oauth_error("invalid_request", "Informative URIs must have the same hostname");
 			end
 		end
 	end