Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5384:b40f29ec391a

mod_http_oauth2: Allow configuring PKCE challenge methods You'd pretty much only want this to disable the 'plain' method, since it doesn't seem to add that much security?
author Kim Alvefur <zash@zash.se>
date Sat, 29 Apr 2023 13:09:49 +0200
parent 5383:df11a2cbc7b7
child 5385:544b92750a2a
comparison
equal deleted inserted replaced
5383:df11a2cbc7b7 5384:b40f29ec391a
557 if not allowed_response_type_handlers:contains(handler_type) then 557 if not allowed_response_type_handlers:contains(handler_type) then
558 module:log("debug", "Response type %q disabled", handler_type); 558 module:log("debug", "Response type %q disabled", handler_type);
559 response_type_handlers[handler_type] = nil; 559 response_type_handlers[handler_type] = nil;
560 else 560 else
561 module:log("debug", "Response type %q enabled", handler_type); 561 module:log("debug", "Response type %q enabled", handler_type);
562 end
563 end
564
565 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" })
566 for handler_type in pairs(verifier_transforms) do
567 if not allowed_challenge_methods:contains(handler_type) then
568 module:log("debug", "Challenge method %q disabled", handler_type);
569 verifier_transforms[handler_type] = nil;
570 else
571 module:log("debug", "Challenge method %q enabled", handler_type);
562 end 572 end
563 end 573 end
564 574
565 function handle_token_grant(event) 575 function handle_token_grant(event)
566 local credentials = get_request_credentials(event.request); 576 local credentials = get_request_credentials(event.request);