changeset 5384:b40f29ec391a

mod_http_oauth2: Allow configuring PKCE challenge methods You'd pretty much only want this to disable the 'plain' method, since it doesn't seem to add that much security?
author Kim Alvefur <zash@zash.se>
date Sat, 29 Apr 2023 13:09:49 +0200
parents df11a2cbc7b7
children 544b92750a2a
files mod_http_oauth2/README.markdown mod_http_oauth2/mod_http_oauth2.lua
diffstat 2 files changed, 19 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown	Sat Apr 29 13:09:46 2023 +0200
+++ b/mod_http_oauth2/README.markdown	Sat Apr 29 13:09:49 2023 +0200
@@ -129,6 +129,15 @@
 oauth2_require_code_challenge = true
 ```
 
+Further, individual challenge methods can be enabled or disabled:
+
+```lua
+allowed_oauth2_code_challenge_methods = {
+    "plain"; -- the insecure one
+    "S256";
+}
+```
+
 ## Deployment notes
 
 ### Access management
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 29 13:09:46 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 29 13:09:49 2023 +0200
@@ -562,6 +562,16 @@
 	end
 end
 
+local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" })
+for handler_type in pairs(verifier_transforms) do
+	if not allowed_challenge_methods:contains(handler_type) then
+		module:log("debug", "Challenge method %q disabled", handler_type);
+		verifier_transforms[handler_type] = nil;
+	else
+		module:log("debug", "Challenge method %q enabled", handler_type);
+	end
+end
+
 function handle_token_grant(event)
 	local credentials = get_request_credentials(event.request);