Mercurial > prosody-modules
changeset 5199:f48628dc83f1
mod_http_oauth2: Separate client_secret verification key from JWT key
Allows configuring a real JWT key directly in the config, but
the client_secret will be different per host.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 22:48:59 +0100 |
| parents | 2e8a7a0f932d |
| children | afed7d5bd65c |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 3 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri Mar 03 22:48:38 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Fri Mar 03 22:48:59 2023 +0100 @@ -19,10 +19,11 @@ local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 }); +local verification_key; local jwt_sign, jwt_verify; if registration_key then -- Tie it to the host if global - registration_key = hashes.hmac_sha256(registration_key, module.host); + verification_key = hashes.hmac_sha256(registration_key, module.host); jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); end @@ -196,7 +197,7 @@ end local function make_secret(client_id) --> client_secret - return hashes.hmac_sha256(registration_key, client_id, true); + return hashes.hmac_sha256(verification_key, client_id, true); end local function verify_secret(client_id, client_secret)