Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5199:f48628dc83f1

mod_http_oauth2: Separate client_secret verification key from JWT key Allows configuring a real JWT key directly in the config, but the client_secret will be different per host.
author Kim Alvefur <zash@zash.se>
date Fri, 03 Mar 2023 22:48:59 +0100
parent 5198:2e8a7a0f932d
child 5200:afed7d5bd65c
comparison
equal deleted inserted replaced
5198:2e8a7a0f932d 5199:f48628dc83f1
17 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration. 17 -- Used to derive client_secret from client_id, set to enable stateless dynamic registration.
18 local registration_key = module:get_option_string("oauth2_registration_key"); 18 local registration_key = module:get_option_string("oauth2_registration_key");
19 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256"); 19 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");
20 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 }); 20 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 });
21 21
22 local verification_key;
22 local jwt_sign, jwt_verify; 23 local jwt_sign, jwt_verify;
23 if registration_key then 24 if registration_key then
24 -- Tie it to the host if global 25 -- Tie it to the host if global
25 registration_key = hashes.hmac_sha256(registration_key, module.host); 26 verification_key = hashes.hmac_sha256(registration_key, module.host);
26 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); 27 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options);
27 end 28 end
28 29
29 local function filter_scopes(username, host, requested_scope_string) 30 local function filter_scopes(username, host, requested_scope_string)
30 if host ~= module.host then 31 if host ~= module.host then
194 }; 195 };
195 } 196 }
196 end 197 end
197 198
198 local function make_secret(client_id) --> client_secret 199 local function make_secret(client_id) --> client_secret
199 return hashes.hmac_sha256(registration_key, client_id, true); 200 return hashes.hmac_sha256(verification_key, client_id, true);
200 end 201 end
201 202
202 local function verify_secret(client_id, client_secret) 203 local function verify_secret(client_id, client_secret)
203 return hashes.equals(make_secret(client_id), client_secret); 204 return hashes.equals(make_secret(client_id), client_secret);
204 end 205 end