Mercurial > prosody-modules
changeset 5770:990c6adc4407
mod_http_oauth2: Move some code earlier
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 04 Dec 2023 21:07:54 +0100 |
| parents | bb4335c8f500 |
| children | 72799c330986 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 10 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Mon Dec 04 00:23:19 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Dec 04 21:07:54 2023 +0100 @@ -1420,6 +1420,15 @@ return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); end + if client_metadata.token_endpoint_auth_method ~= "none" then + -- Ensure that each client_id JWT with a client_secret is unique. + -- A short ID along with the issued at timestamp should be sufficient to + -- rule out brute force attacks. + -- Not needed for public clients without a secret, but those are expected + -- to be uncommon since they can only do the insecure implicit flow. + client_metadata.nonce = id.short(); + end + -- Do we want to keep everything? local client_id = sign_client(client_metadata); @@ -1427,14 +1436,7 @@ client_metadata.client_id_issued_at = os.time(); if client_metadata.token_endpoint_auth_method ~= "none" then - -- Ensure that each client_id JWT with a client_secret is unique. - -- A short ID along with the issued at timestamp should be sufficient to - -- rule out brute force attacks. - -- Not needed for public clients without a secret, but those are expected - -- to be uncommon since they can only do the insecure implicit flow. - client_metadata.nonce = id.short(); - - local client_secret = make_client_secret(client_id, client_metadata); + local client_secret = make_client_secret(client_id); client_metadata.client_secret = client_secret; client_metadata.client_secret_expires_at = 0;