changeset 5242:4746609a6656

mod_http_oauth2: Validate that informative URLs match the redirect URIs It is a bit shady to have the various URIs (URLs really) point to different hostnames. This may be quite stricter than required, but can always be relaxed later.
author Kim Alvefur <zash@zash.se>
date Sat, 11 Mar 2023 22:31:02 +0100 (21 months ago)
parents 65892dd1d4ae
children d5dc8edb2695
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 15 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:25:50 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:31:02 2023 +0100
@@ -600,12 +600,27 @@
 		return oauth_error("invalid_request", "Failed schema validation.");
 	end
 
+	local redirect_hosts = set.new();
 	for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
 		local components = url.parse(redirect_uri);
 		if not components or not components.scheme then
 			return oauth_error("invalid_request", "Invalid redirect URI.");
 		elseif components.scheme == "http" and components.host ~= "localhost" then
 			return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)");
+		elseif components.scheme == "https" then
+			redirect_hosts:add(components.host);
+		end
+	end
+
+	for field, prop_schema in pairs(registration_schema) do
+		if prop_schema.format == "uri" and client_metadata[field] then
+			local components = url.parse(client_metadata[field]);
+			if components.scheme ~= "https" then
+				return oauth_error("invalid_request", "Insecure URI forbidden");
+			end
+			if not redirect_hosts:contains(components.host) then
+				return oauth_error("invalid_request", "Informative URI must match redirect URIs");
+			end
 		end
 	end