# HG changeset patch # User Kim Alvefur # Date 1748963059 -7200 # Node ID 5b269511ade79acdee0f1954027a25b4306df3d3 # Parent ef81c67e1ae7c8bae5cd5f85f27d363cea72bdfa mod_http_oauth2: Forbid inclusion of disabled grant and response types Better than asserting that at least one allowed grant or response type is included. diff -r ef81c67e1ae7 -r 5b269511ade7 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Tue Jun 03 16:59:07 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Jun 03 17:04:19 2025 +0200 @@ -1461,16 +1461,18 @@ local grant_types = set.new(client_metadata.grant_types); local response_types = set.new(client_metadata.response_types); + if not (grant_types - allowed_grant_type_handlers):empty() then + return nil, oauth_error("invalid_client_metadata", "Disallowed 'grant_types' specified"); + elseif not (response_types - allowed_response_type_handlers):empty() then + return nil, oauth_error("invalid_client_metadata", "Disallowed 'response_types' specified"); + end + if grant_types:contains("authorization_code") and not response_types:contains("code") then return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); elseif grant_types:contains("implicit") and not response_types:contains("token") then return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); end - if set.intersection(grant_types, allowed_grant_type_handlers):empty() then - return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); - end - if client_metadata.token_endpoint_auth_method ~= "none" then -- Ensure that each client_id JWT with a client_secret is unique. -- A short ID along with the issued at timestamp should be sufficient to