prosody-modules
1fbc8718bed6
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 5512:1fbc8718bed6
mod_http_oauth2: Bind refresh tokens to client
Prevent one OAuth client from using the refresh tokens issued to another
client as required by RFC 6819 section 5.2.2.2
See also draft-ietf-oauth-security-topics-22 section 2.2.2
Thanks to OAuch for pointing out this issue
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 02 Jun 2023 10:40:48 +0200 |
| parent | 5511:0860497152af |
| child | 5513:0005d4201030 |
comparison
equal
deleted
inserted
replaced
| 5511:0860497152af | 5512:1fbc8718bed6 |
|---|---|
| 476 end | 476 end |
| 477 | 477 |
| 478 local refresh_token_info = tokens.get_token_info(params.refresh_token); | 478 local refresh_token_info = tokens.get_token_info(params.refresh_token); |
| 479 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then | 479 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then |
| 480 return oauth_error("invalid_grant", "invalid refresh token"); | 480 return oauth_error("invalid_grant", "invalid refresh token"); |
| 481 end | |
| 482 | |
| 483 local refresh_token_client = refresh_token_info.grant.data.oauth2_client; | |
| 484 if not refresh_token_client.hash or refresh_token_client.hash ~= client.client_hash then | |
| 485 module:log("warn", "OAuth client %q (%s) tried to use refresh token belonging to %q (%s)", client.client_name, client.client_hash, | |
| 486 refresh_token_client.name, refresh_token_client.hash); | |
| 487 return oauth_error("unauthorized_client", "incorrect credentials"); | |
| 481 end | 488 end |
| 482 | 489 |
| 483 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; | 490 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; |
| 484 | 491 |
| 485 if params.scope then | 492 if params.scope then |
