Mercurial > prosody-modules
changeset 5518:d87d0e4a8516
mod_http_oauth2: Validate the OpenID 'prompt' parameter
Without support for affecting the login and consent procedure, it seems
sensible to inform the client that they can't change anything with this
parameter.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 05 Jun 2023 22:19:17 +0200 |
| parents | a08abbd1045d |
| children | 83ebfc367169 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 19 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Jun 03 20:04:40 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jun 05 22:19:17 2023 +0200 @@ -776,6 +776,25 @@ end); end + -- The 'prompt' parameter from OpenID Core + local prompt = set.new(parse_scopes(params.prompt or "select_account login consent")); + if prompt:contains("none") then + -- Client wants no interaction, only confirmation of prior login and + -- consent, but this is not implemented. + return error_response(request, redirect_uri, oauth_error("interaction_required")); + elseif not prompt:contains("select_account") then + -- TODO If the login page is split into account selection followed by login + -- (e.g. password), and then the account selection could be skipped iff the + -- 'login_hint' parameter is present. + return error_response(request, redirect_uri, oauth_error("account_selection_required")); + elseif not prompt:contains("login") then + -- Currently no cookies or such are used, so login is required every time. + return error_response(request, redirect_uri, oauth_error("login_required")); + elseif not prompt:contains("consent") then + -- Are there any circumstances when consent would be implied or assumed? + return error_response(request, redirect_uri, oauth_error("consent_required")); + end + local auth_state = get_auth_state(request); if not auth_state.user then -- Render login page