Mercurial > prosody-modules
changeset 5580:feadbd481285
mod_http_oauth2: Only add nonce when issuing a client_secret
Not as important that the client_id be unique if there's no
client_secret since the point was to make each issued client_secret
distinct.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 26 Jun 2023 00:19:05 +0200 |
| parents | bc292c84f56c |
| children | df483d9056f5 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 8 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Jun 25 23:53:15 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jun 26 00:19:05 2023 +0200 @@ -1018,10 +1018,6 @@ return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); end - -- Ensure each signed client_id JWT is unique, short ID and issued at - -- timestamp should be sufficient to rule out brute force attacks - client_metadata.nonce = id.short(); - -- Do we want to keep everything? local client_id = sign_client(client_metadata); @@ -1029,7 +1025,14 @@ client_metadata.client_id_issued_at = os.time(); if client_metadata.token_endpoint_auth_method ~= "none" then - local client_secret = make_client_secret(client_id); + -- Ensure that each client_id JWT with a client_secret is unique. + -- A short ID along with the issued at timestamp should be sufficient to + -- rule out brute force attacks. + -- Not needed for public clients without a secret, but those are expected + -- to be uncommon since they can only do the insecure implicit flow. + client_metadata.nonce = id.short(); + + local client_secret = make_client_secret(client_id, client_metadata); client_metadata.client_secret = client_secret; client_metadata.client_secret_expires_at = 0;