Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5406:b86d80e21c60

mod_http_oauth2: Validate consistency of response and grant types Ensure that these correlated fields make sense per RFC 7591 § 2.1, even though we currently only check the response type during authorization. This could probably all be deleted if (when!) we remove the implicit grant, since then these things don't make any sense anymore.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:34:31 +0200
parent 5405:c7a5caad28ef
child 5407:149634647b48
comparison
equal deleted inserted replaced
5405:c7a5caad28ef 5406:b86d80e21c60
787 -- Localized URIs should be secure too 787 -- Localized URIs should be secure too
788 if not redirect_uri_allowed(v, client_uri, "web") then 788 if not redirect_uri_allowed(v, client_uri, "web") then
789 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); 789 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI");
790 end 790 end
791 end 791 end
792 end
793
794 local grant_types = set.new(client_metadata.grant_types);
795 local response_types = set.new(client_metadata.response_types);
796
797 if grant_types:contains("authorization_code") and not response_types:contains("code") then
798 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
799 elseif grant_types:contains("implicit") and not response_types:contains("token") then
800 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
801 end
802
803 if set.intersection(grant_types, allowed_grant_type_handlers):empty() then
804 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified");
805 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then
806 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified");
792 end 807 end
793 808
794 -- Ensure each signed client_id JWT is unique, short ID and issued at 809 -- Ensure each signed client_id JWT is unique, short ID and issued at
795 -- timestamp should be sufficient to rule out brute force attacks 810 -- timestamp should be sufficient to rule out brute force attacks
796 client_metadata.nonce = id.short(); 811 client_metadata.nonce = id.short();