Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5559:d7fb8b266663

mod_http_oauth2: Strip unknown client metadata Per RFC 7591 > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). This was previously done but unintentionally removed in 90449babaa48
author Kim Alvefur <zash@zash.se>
date Tue, 20 Jun 2023 01:11:34 +0200
parent 5554:90449babaa48
child 5560:697d799fe601
comparison
equal deleted inserted replaced
5558:3276750332ea 5559:d7fb8b266663
977 if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then 977 if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then
978 client_metadata[propname] = propspec.default; 978 client_metadata[propname] = propspec.default;
979 end 979 end
980 end 980 end
981 981
982 -- MUST ignore any metadata that it does not understand
983 for propname in pairs(client_metadata) do
984 if not registration_schema.properties[propname] then
985 client_metadata[propname] = nil;
986 end
987 end
988
982 local client_uri = url.parse(client_metadata.client_uri); 989 local client_uri = url.parse(client_metadata.client_uri);
983 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then 990 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
984 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri"); 991 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
985 end 992 end
986 993