Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5210:898575a0c6f3

mod_http_oauth2: Switch to '303 See Other' redirects This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is the only redirect code that guarantees the user agent will use a GET request, rather than re-submitting a POST request to the new URL. The latter would be bad for us, as we are encoding auth tokens in the form data.
author Matthew Wild <mwild1@gmail.com>
date Mon, 06 Mar 2023 10:37:43 +0000
parent 5209:942f8a2f722d
child 5213:dc0f502c12f1
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 10:29:14 2023 +0000
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 10:37:43 2023 +0000
@@ -211,7 +211,7 @@
 	redirect.query = http.formencode(query);
 
 	return {
-		status_code = 302;
+		status_code = 303;
 		headers = {
 			location = url.build(redirect);
 		};
@@ -229,7 +229,7 @@
 	redirect.fragment = http.formencode(token_info);
 
 	return {
-		status_code = 302;
+		status_code = 303;
 		headers = {
 			location = url.build(redirect);
 		};
@@ -396,7 +396,7 @@
 		.. "&" .. http.formencode({ state = q.state, iss = get_issuer() });
 	module:log("warn", "Sending error response to client via redirect to %s", redirect_uri);
 	return {
-		status_code = 302;
+		status_code = 303;
 		headers = {
 			location = redirect_uri;
 		};