mod_http_oauth2: Separate client_secret verification key from JWT key Allows configuring a real JWT key directly in the config, but the client_secret will be different per host.

author: Kim Alvefur <zash@zash.se>
date: Fri, 03 Mar 2023 22:48:59 +0100
parent: 5198:2e8a7a0f932d
child: 5200:afed7d5bd65c
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Mar 03 22:48:38 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri Mar 03 22:48:59 2023 +0100
@@ -19,10 +19,11 @@
 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");
 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 });
 
+local verification_key;
 local jwt_sign, jwt_verify;
 if registration_key then
 	-- Tie it to the host if global
-	registration_key = hashes.hmac_sha256(registration_key, module.host);
+	verification_key = hashes.hmac_sha256(registration_key, module.host);
 	jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options);
 end
 
@@ -196,7 +197,7 @@
 end
 
 local function make_secret(client_id) --> client_secret
-	return hashes.hmac_sha256(registration_key, client_id, true);
+	return hashes.hmac_sha256(verification_key, client_id, true);
 end
 
 local function verify_secret(client_id, client_secret)