Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5549:01a0b67a9afd

mod_http_oauth2: Add TODO about disabling password grant Per recommendation in draft-ietf-oauth-security-topics-23 it should at the very least be disabled by default. However since this is used by the Snikket web portal some care needs to be taken not to break this, unless it's already broken by other changes to this module.
author Kim Alvefur <zash@zash.se>
date Fri, 16 Jun 2023 00:06:53 +0200
parent 5548:fd3c12c40cd9
child 5550:4fda06be6b08
comparison
equal deleted inserted replaced
5548:fd3c12c40cd9 5549:01a0b67a9afd
678 location = redirect_uri; 678 location = redirect_uri;
679 }; 679 };
680 }; 680 };
681 end 681 end
682 682
683 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password", "refresh_token"}) 683 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {
684 "authorization_code";
685 "password"; -- TODO Disable. The resource owner password credentials grant [RFC6749] MUST NOT be used.
686 "refresh_token";
687 })
684 for handler_type in pairs(grant_type_handlers) do 688 for handler_type in pairs(grant_type_handlers) do
685 if not allowed_grant_type_handlers:contains(handler_type) then 689 if not allowed_grant_type_handlers:contains(handler_type) then
686 module:log("debug", "Grant type %q disabled", handler_type); 690 module:log("debug", "Grant type %q disabled", handler_type);
687 grant_type_handlers[handler_type] = nil; 691 grant_type_handlers[handler_type] = nil;
688 else 692 else