mod_http_oauth2: Optionally enforce authentication on revocation endpoint But why do OAuth require this? If a token leaks, why couldn't anyone revoke it?

author: Kim Alvefur <zash@zash.se>
date: Mon, 31 Jul 2023 02:07:58 +0200
parent: 5626:81042c2a235a
child: 5646:9aace51c3637
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Jul 31 02:07:24 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Jul 31 02:07:58 2023 +0200
@@ -1041,6 +1041,8 @@
 	}
 end
 
+local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false);
+
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
 	response.headers.cache_control = "no-store";
@@ -1055,6 +1057,11 @@
 		if not verify_client_secret(credentials.username, credentials.password) then
 			return 401;
 		end
+		-- TODO check that it's their token I guess?
+	elseif strict_auth_revoke then
+		-- Why require auth to revoke a leaked token?
+		response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+		return 401;
 	end
 
 	local form_data = strict_formdecode(event.request.body);