Diff

--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Apr 18 10:37:11 2025 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 19 16:42:21 2025 +0200
@@ -397,7 +397,28 @@
 	return oauth_error("invalid_request");
 end
 
+local function make_client_secret(client_id) --> client_secret
+       return hashes.hmac_sha256(verification_key, client_id, true);
+end
+
+local function verify_client_secret(client_id, client_secret)
+       return hashes.equals(make_client_secret(client_id), client_secret);
+end
+
 function grant_type_handlers.password(params)
+	if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
+	if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
+
+	local client = check_client(params.client_id);
+	if not client then
+		return oauth_error("invalid_client", "incorrect credentials");
+	end
+
+	if not verify_client_secret(params.client_id, params.client_secret) then
+		module:log("debug", "client_secret mismatch");
+		return oauth_error("invalid_client", "incorrect credentials");
+	end
+
 	local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
 	local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
 	local request_username, request_host, request_resource = jid.prepped_split(request_jid);
@@ -505,14 +526,6 @@
 	}
 end
 
-local function make_client_secret(client_id) --> client_secret
-	return hashes.hmac_sha256(verification_key, client_id, true);
-end
-
-local function verify_client_secret(client_id, client_secret)
-	return hashes.equals(make_client_secret(client_id), client_secret);
-end
-
 function grant_type_handlers.authorization_code(params)
 	if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
 	if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end