Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5402:fbf3ede7541b

mod_http_oauth2: More appropriate error conditions in client validation Specified in RFC7591 for these kinds of issues.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:22:17 +0200
parent 5401:c8d04ac200fc
child 5403:c574aaaa4d57
comparison
equal deleted inserted replaced
5401:c8d04ac200fc 5402:fbf3ede7541b
753 end 753 end
754 end 754 end
755 755
756 local client_uri = url.parse(client_metadata.client_uri); 756 local client_uri = url.parse(client_metadata.client_uri);
757 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then 757 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
758 return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri"); 758 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
759 end 759 end
760 760
761 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do 761 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
762 if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then 762 if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then
763 return nil, oauth_error("invalid_request", "Invalid, insecure or inappropriate redirect URI."); 763 return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI.");
764 end 764 end
765 end 765 end
766 766
767 for field, prop_schema in pairs(registration_schema.properties) do 767 for field, prop_schema in pairs(registration_schema.properties) do
768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then 768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then
769 local components = url.parse(client_metadata[field]); 769 local components = url.parse(client_metadata[field]);
770 if components.scheme ~= "https" then 770 if components.scheme ~= "https" then
771 return nil, oauth_error("invalid_request", "Insecure URI forbidden"); 771 return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden");
772 end 772 end
773 if components.authority ~= client_uri.authority then 773 if components.authority ~= client_uri.authority then
774 return nil, oauth_error("invalid_request", "Informative URIs must have the same hostname"); 774 return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname");
775 end 775 end
776 end 776 end
777 end 777 end
778 778
779 -- Localized URIs should be secure too 779 -- Localized URIs should be secure too
780 for k, v in pairs(client_metadata) do 780 for k, v in pairs(client_metadata) do
781 if k:find"_uri#" then 781 if k:find"_uri#" then
782 local uri = url.parse(v); 782 local uri = url.parse(v);
783 if not uri or uri.scheme ~= "https" then 783 if not uri or uri.scheme ~= "https" then
784 return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k); 784 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k);
785 elseif uri.host ~= client_uri.host then 785 elseif uri.host ~= client_uri.host then
786 return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri"); 786 return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri");
787 end 787 end
788 end 788 end
789 end 789 end
790 790
791 -- Ensure each signed client_id JWT is unique, short ID and issued at 791 -- Ensure each signed client_id JWT is unique, short ID and issued at