Mercurial > prosody-modules
changeset 5219:25e824f64fd3
mod_http_oauth2: Improve handling of redirect_uri matching and fallback
Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it
registered multiple. If it only registered a single URI, it may be omitted
from the authorize request.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 07 Mar 2023 13:19:19 +0000 |
| parents | 1f4b768c831a |
| children | d03448560acf |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 12 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 07 13:14:25 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 07 13:19:19 2023 +0000 @@ -145,8 +145,17 @@ end local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string + if not query_redirect_uri then + if #client.redirect_uris ~= 1 then + -- Client registered multiple URIs, it needs specify which one to use + return; + end + -- When only a single URI is registered, that's the default + return client.redirect_uris[1]; + end + -- Verify the client-provided URI matches one previously registered for _, redirect_uri in ipairs(client.redirect_uris) do - if query_redirect_uri == nil or query_redirect_uri == redirect_uri then + if query_redirect_uri == redirect_uri then return redirect_uri end end @@ -199,6 +208,8 @@ extra = code; }) or ("Here's your authorization code:\n%s\n"):format(code); return response; + elseif not redirect_uri then + return {status_code = 400}; end local redirect = url.parse(redirect_uri);