Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5704:8cb3da7df521

mod_http_oauth2: Restrict introspection to clients own tokens The introspection code was added before the client hash was added in 0860497152af which allows connecting tokens to clients.
author Kim Alvefur <zash@zash.se>
date Sun, 29 Oct 2023 11:20:15 +0100
parent 5703:b43c989fb69c
child 5705:527c747711f3
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 25 09:31:21 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Oct 29 11:20:15 2023 +0100
@@ -1061,6 +1061,11 @@
 		return 401;
 	end
 
+	local client = check_client(credentials.username);
+	if not client then
+		return 401;
+	end
+
 	local form_data = http.formdecode(request.body or "=");
 	local token = form_data.token;
 	if not token then
@@ -1071,6 +1076,10 @@
 	if not token_info then
 		return { headers = { content_type = "application/json" }; body = json.encode { active = false } };
 	end
+	local token_client = token_info.grant.data.oauth2_client;
+	if not token_client or token_client.hash ~= client.client_hash then
+		return 403;
+	end
 
 	return {
 		headers = { content_type = "application/json" };
@@ -1083,7 +1092,7 @@
 			exp = token.expires;
 			iat = token.created;
 			sub = url.build({ scheme = "xmpp"; path = token_info.jid });
-			aud = nil;
+			aud = credentials.username;
 			iss = get_issuer();
 			jti = token_info.id;
 		};