mod_http_oauth2: Allow configuring PKCE challenge methods You'd pretty much only want this to disable the 'plain' method, since it doesn't seem to add that much security?

author: Kim Alvefur <zash@zash.se>
date: Sat, 29 Apr 2023 13:09:49 +0200
parent: 5383:df11a2cbc7b7
child: 5385:544b92750a2a
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 29 13:09:46 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 29 13:09:49 2023 +0200
@@ -562,6 +562,16 @@
 	end
 end
 
+local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" })
+for handler_type in pairs(verifier_transforms) do
+	if not allowed_challenge_methods:contains(handler_type) then
+		module:log("debug", "Challenge method %q disabled", handler_type);
+		verifier_transforms[handler_type] = nil;
+	else
+		module:log("debug", "Challenge method %q enabled", handler_type);
+	end
+end
+
 function handle_token_grant(event)
 	local credentials = get_request_credentials(event.request);