prosody-modules
17d9533f7596
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 6326:17d9533f7596
mod_http_oauth2: Reject invalid attempt to register client without credentials
The implicit flow works without a client_secret since the token is
delivered directly, but all other currently supported grant types
require client to authenticate using credentials, so it makes no sense
to not issue credentials then.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 03 Jul 2025 15:45:00 +0200 |
| parent | 6325:6ea80b73d8f2 |
| child | 6327:578fa5d97daa |
comparison
equal
deleted
inserted
replaced
| 6325:6ea80b73d8f2 | 6326:17d9533f7596 |
|---|---|
| 1543 -- A short ID along with the issued at timestamp should be sufficient to | 1543 -- A short ID along with the issued at timestamp should be sufficient to |
| 1544 -- rule out brute force attacks. | 1544 -- rule out brute force attacks. |
| 1545 -- Not needed for public clients without a secret, but those are expected | 1545 -- Not needed for public clients without a secret, but those are expected |
| 1546 -- to be uncommon since they can only do the insecure implicit flow. | 1546 -- to be uncommon since they can only do the insecure implicit flow. |
| 1547 client_metadata.nonce = id.short(); | 1547 client_metadata.nonce = id.short(); |
| 1548 elseif grant_types ~= set.new({ "implicit" }) then | |
| 1549 return nil, oauth_error("invalid_client_metadata", "A 'token_endpoint_auth_method' value of 'none' only works with the 'implicit' grant"); | |
| 1548 end | 1550 end |
| 1549 | 1551 |
| 1550 -- Do we want to keep everything? | 1552 -- Do we want to keep everything? |
| 1551 local client_id = sign_client(client_metadata); | 1553 local client_id = sign_client(client_metadata); |
| 1552 | 1554 |
