Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5366:db4c66a1d24b

mod_http_oauth2: Fill in some client metadata defaults Explicit > Implicit Maybe we should actually use these for something as well? :) It's is somewhat an open question of how strictly we should enforce things in the client metadata given that it is somewhat extensible. Especially some of these enum fields which have corresponding IANA registries.
author Kim Alvefur <zash@zash.se>
date Tue, 25 Apr 2023 18:09:08 +0200
parent 5365:698fef74ce53
child 5367:93d445b26063
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Apr 25 17:38:36 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Apr 25 18:09:08 2023 +0200
@@ -640,7 +640,7 @@
 	};
 	properties = {
 		redirect_uris = { type = "array"; minLength = 1; items = { type = "string"; format = "uri" } };
-		token_endpoint_auth_method = { type = "string"; enum = { "none"; "client_secret_post"; "client_secret_basic" } };
+		token_endpoint_auth_method = { type = "string"; enum = { "none"; "client_secret_post"; "client_secret_basic"; default = "client_secret_basic" } };
 		grant_types = {
 			type = "array";
 			items = {
@@ -655,8 +655,9 @@
 					"urn:ietf:params:oauth:grant-type:saml2-bearer";
 				};
 			};
+			default = { "authorization_code" };
 		};
-		response_types = { type = "array"; items = { type = "string"; enum = { "code"; "token" } } };
+		response_types = { type = "array"; items = { type = "string"; enum = { "code"; "token" } }; default = { "code" } };
 		client_name = { type = "string" };
 		client_uri = { type = "string"; format = "uri"; luaPattern = "^https:" };
 		logo_uri = { type = "string"; format = "uri"; luaPattern = "^https:" };
@@ -681,6 +682,13 @@
 		return nil, oauth_error("invalid_request", "Failed schema validation.");
 	end
 
+	-- Fill in default values
+	for propname, propspec in pairs(registration_schema.properties) do
+		if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then
+			client_metadata[propname] = propspec.default;
+		end
+	end
+
 	local client_uri = url.parse(client_metadata.client_uri);
 	if not client_uri or client_uri.scheme ~= "https" then
 		return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri");