Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5405:c7a5caad28ef

mod_http_oauth2: Enforce response type encoded in client_id The client promises to only use this response type, so we should hold them to that. This makes it fail earlier if the response type is disabled or the client is trying to use one that it promised not to use. Better than failing after login and consent.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:31:25 +0200
parent 5404:1087f697c3f3
child 5406:b86d80e21c60
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:23:40 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:31:25 2023 +0200
@@ -620,6 +620,12 @@
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
 
+	local client_response_types = set.new(array(client.response_types or { "code" }));
+	client_response_types = set.intersection(client_response_types, allowed_response_type_handlers);
+	if not client_response_types:contains(params.response_type) then
+		return oauth_error("invalid_client", "response_type not allowed");
+	end
+
 	local auth_state = get_auth_state(request);
 	if not auth_state.user then
 		-- Render login page