Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5262:e73f364b5624

mod_http_oauth2: Rename oauth client credential related functions To make it more explicit what "secret" these deal with.
author Kim Alvefur <zash@zash.se>
date Tue, 21 Mar 2023 21:36:54 +0100
parent 5259:8fba651b10ef
child 5263:381c62ef52aa
comparison
equal deleted inserted replaced
5261:6526b670e66d 5262:e73f364b5624
282 location = url.build(redirect); 282 location = url.build(redirect);
283 }; 283 };
284 } 284 }
285 end 285 end
286 286
287 local function make_secret(client_id) --> client_secret 287 local function make_client_secret(client_id) --> client_secret
288 return hashes.hmac_sha256(verification_key, client_id, true); 288 return hashes.hmac_sha256(verification_key, client_id, true);
289 end 289 end
290 290
291 local function verify_secret(client_id, client_secret) 291 local function verify_client_secret(client_id, client_secret)
292 return hashes.equals(make_secret(client_id), client_secret); 292 return hashes.equals(make_client_secret(client_id), client_secret);
293 end 293 end
294 294
295 function grant_type_handlers.authorization_code(params) 295 function grant_type_handlers.authorization_code(params)
296 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end 296 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
297 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end 297 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
303 local client_ok, client = jwt_verify(params.client_id); 303 local client_ok, client = jwt_verify(params.client_id);
304 if not client_ok then 304 if not client_ok then
305 return oauth_error("invalid_client", "incorrect credentials"); 305 return oauth_error("invalid_client", "incorrect credentials");
306 end 306 end
307 307
308 if not verify_secret(params.client_id, params.client_secret) then 308 if not verify_client_secret(params.client_id, params.client_secret) then
309 module:log("debug", "client_secret mismatch"); 309 module:log("debug", "client_secret mismatch");
310 return oauth_error("invalid_client", "incorrect credentials"); 310 return oauth_error("invalid_client", "incorrect credentials");
311 end 311 end
312 local code, err = codes:get(params.client_id .. "#" .. params.code); 312 local code, err = codes:get(params.client_id .. "#" .. params.code);
313 if err then error(err); end 313 if err then error(err); end
550 -- Notify client of rejection 550 -- Notify client of rejection
551 return error_response(request, oauth_error("access_denied")); 551 return error_response(request, oauth_error("access_denied"));
552 end 552 end
553 553
554 local user_jid = jid.join(auth_state.user.username, module.host); 554 local user_jid = jid.join(auth_state.user.username, module.host);
555 local client_secret = make_secret(params.client_id); 555 local client_secret = make_client_secret(params.client_id);
556 local id_token_signer = jwt.new_signer("HS256", client_secret); 556 local id_token_signer = jwt.new_signer("HS256", client_secret);
557 local id_token = id_token_signer({ 557 local id_token = id_token_signer({
558 iss = get_issuer(); 558 iss = get_issuer();
559 sub = url.build({ scheme = "xmpp"; path = user_jid }); 559 sub = url.build({ scheme = "xmpp"; path = user_jid });
560 aud = params.client_id; 560 aud = params.client_id;
673 -- timestamp should be sufficient to rule out brute force attacks 673 -- timestamp should be sufficient to rule out brute force attacks
674 client_metadata.nonce = id.short(); 674 client_metadata.nonce = id.short();
675 675
676 -- Do we want to keep everything? 676 -- Do we want to keep everything?
677 local client_id = jwt_sign(client_metadata); 677 local client_id = jwt_sign(client_metadata);
678 local client_secret = make_secret(client_id); 678 local client_secret = make_client_secret(client_id);
679 679
680 client_metadata.client_id = client_id; 680 client_metadata.client_id = client_id;
681 client_metadata.client_secret = client_secret; 681 client_metadata.client_secret = client_secret;
682 client_metadata.client_id_issued_at = os.time(); 682 client_metadata.client_id_issued_at = os.time();
683 client_metadata.client_secret_expires_at = 0; 683 client_metadata.client_secret_expires_at = 0;