Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5246:fd0d25b42cd9

mod_http_oauth2: Validate all URIs against client_uri in client registration Validating against all redirect URIs didn't work for OOB-only clients, which happens to be what I was testing with.
author Kim Alvefur <zash@zash.se>
date Sun, 12 Mar 2023 12:06:44 +0100
parent 5245:e22cae58141d
child 5247:dc27b997e969
comparison
equal deleted inserted replaced
5245:e22cae58141d 5246:fd0d25b42cd9
598 598
599 if not schema.validate(registration_schema, client_metadata) then 599 if not schema.validate(registration_schema, client_metadata) then
600 return oauth_error("invalid_request", "Failed schema validation."); 600 return oauth_error("invalid_request", "Failed schema validation.");
601 end 601 end
602 602
603 local redirect_hosts = set.new(); 603 local client_uri = url.parse(client_metadata.client_uri);
604 if not client_uri or client_uri.scheme ~= "https" then
605 return oauth_error("invalid_request", "Missing, invalid or insecure client_uri");
606 end
607
604 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do 608 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
605 local components = url.parse(redirect_uri); 609 local components = url.parse(redirect_uri);
606 if not components or not components.scheme then 610 if not components or not components.scheme then
607 return oauth_error("invalid_request", "Invalid redirect URI."); 611 return oauth_error("invalid_request", "Invalid redirect URI.");
608 elseif components.scheme == "http" and components.host ~= "localhost" then 612 elseif components.scheme == "http" and components.host ~= "localhost" then
609 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); 613 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)");
610 elseif components.scheme == "https" then 614 elseif components.scheme == "https" and components.host ~= client_uri.host then
611 redirect_hosts:add(components.host); 615 return oauth_error("invalid_request", "Redirects must use the same hostname as client_uri");
612 end 616 end
613 end 617 end
614 618
615 for field, prop_schema in pairs(registration_schema.properties) do 619 for field, prop_schema in pairs(registration_schema.properties) do
616 if prop_schema.format == "uri" and client_metadata[field] then 620 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then
617 local components = url.parse(client_metadata[field]); 621 local components = url.parse(client_metadata[field]);
618 if components.scheme ~= "https" then 622 if components.scheme ~= "https" then
619 return oauth_error("invalid_request", "Insecure URI forbidden"); 623 return oauth_error("invalid_request", "Insecure URI forbidden");
620 end 624 end
621 if not redirect_hosts:contains(components.host) then 625 if components.authority ~= client_uri.authority then
622 return oauth_error("invalid_request", "Informative URI must match redirect URIs"); 626 return oauth_error("invalid_request", "Informative URIs must have the same hostname");
623 end 627 end
624 end 628 end
625 end 629 end
626 630
627 -- Ensure each signed client_id JWT is unique, short ID and issued at 631 -- Ensure each signed client_id JWT is unique, short ID and issued at