# HG changeset patch # User Kim Alvefur # Date 1742158585 -3600 # Node ID a1a33f0f6f6e37026cc6ddbafc551bd3572f1f6b # Parent ac7e2992fe6e1ec7775fb223855e056ab4c92578 mod_http_oauth2: Reorder HTTP handler (noop) More in the order they might be used, related paths together. diff -r ac7e2992fe6e -r a1a33f0f6f6e mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sun Mar 16 17:04:51 2025 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Mar 16 21:56:25 2025 +0100 @@ -1584,6 +1584,7 @@ -- This is the normal 'authorization_code' flow. -- Step 1. Create OAuth client + ["GET /register"] = { headers = { content_type = "application/schema+json" }; body = json.encode(registration_schema) }; ["POST /register"] = handle_register_request; -- Device flow @@ -1595,24 +1596,6 @@ ["POST /authorize"] = handle_authorization_request; ["OPTIONS /authorize"] = { status_code = 403; body = "" }; - -- Step 3. User is redirected to the 'redirect_uri' along with an - -- authorization code. In the insecure 'implicit' flow, the access token - -- is delivered here. - - -- Step 4. Retrieve access token using the code. - ["POST /token"] = handle_token_grant; - - -- Step 4 is later repeated using the refresh token to get new access tokens. - - -- Step 5. Revoke token (access or refresh) - ["POST /revoke"] = handle_revocation_request; - - -- Get info about a token - ["POST /introspect"] = handle_introspection_request; - - -- OpenID - ["GET /userinfo"] = handle_userinfo_request; - -- Optional static content for templates ["GET /style.css"] = templates.css and { headers = { @@ -1627,11 +1610,26 @@ body = templates.js; } or nil; - -- Some convenient fallback handlers - ["GET /register"] = { headers = { content_type = "application/schema+json" }; body = json.encode(registration_schema) }; + -- Step 3. User is redirected to the 'redirect_uri' along with an + -- authorization code. In the insecure 'implicit' flow, the access token + -- is delivered here. + + -- Step 4. Retrieve access token using the code. + ["POST /token"] = handle_token_grant; ["GET /token"] = function() return 405; end; + + -- Step 4 is later repeated using the refresh token to get new access tokens. + + -- Get info about a token + ["POST /introspect"] = handle_introspection_request; + ["GET /introspect"] = function() return 405; end; + + -- Get info about the user, used for OpenID Connect + ["GET /userinfo"] = handle_userinfo_request; + + -- Step 5. Revoke token (access or refresh) + ["POST /revoke"] = handle_revocation_request; ["GET /revoke"] = function() return 405; end; - ["GET /introspect"] = function() return 405; end; }; });