Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5407:149634647b48

mod_http_oauth2: Don't issue client_secret when not using authentication This is pretty much only for implicit flow, which is considered insecure anyway, so this is of limited value. If we delete all the implicit flow code, this could be reverted.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:39:32 +0200
parent 5406:b86d80e21c60
child 5408:3989c57cc551
comparison
equal deleted inserted replaced
5406:b86d80e21c60 5407:149634647b48
810 -- timestamp should be sufficient to rule out brute force attacks 810 -- timestamp should be sufficient to rule out brute force attacks
811 client_metadata.nonce = id.short(); 811 client_metadata.nonce = id.short();
812 812
813 -- Do we want to keep everything? 813 -- Do we want to keep everything?
814 local client_id = jwt_sign(client_metadata); 814 local client_id = jwt_sign(client_metadata);
815 local client_secret = make_client_secret(client_id);
816 815
817 client_metadata.client_id = client_id; 816 client_metadata.client_id = client_id;
818 client_metadata.client_secret = client_secret;
819 client_metadata.client_id_issued_at = os.time(); 817 client_metadata.client_id_issued_at = os.time();
820 client_metadata.client_secret_expires_at = 0; 818
821 819 if client_metadata.token_endpoint_auth_method ~= "none" then
822 if not registration_options.accept_expired then 820 local client_secret = make_client_secret(client_id);
823 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); 821 client_metadata.client_secret = client_secret;
822 client_metadata.client_secret_expires_at = 0;
823
824 if not registration_options.accept_expired then
825 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
826 end
824 end 827 end
825 828
826 return client_metadata; 829 return client_metadata;
827 end 830 end
828 831