Changeset

5407:149634647b48

mod_http_oauth2: Don't issue client_secret when not using authentication This is pretty much only for implicit flow, which is considered insecure anyway, so this is of limited value. If we delete all the implicit flow code, this could be reverted.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:39:32 +0200
parents 5406:b86d80e21c60
children 5408:3989c57cc551
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 8 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:34:31 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:39:32 2023 +0200
@@ -812,15 +812,18 @@
 
 	-- Do we want to keep everything?
 	local client_id = jwt_sign(client_metadata);
-	local client_secret = make_client_secret(client_id);
 
 	client_metadata.client_id = client_id;
-	client_metadata.client_secret = client_secret;
 	client_metadata.client_id_issued_at = os.time();
-	client_metadata.client_secret_expires_at = 0;
 
-	if not registration_options.accept_expired then
-		client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
+	if client_metadata.token_endpoint_auth_method ~= "none" then
+		local client_secret = make_client_secret(client_id);
+		client_metadata.client_secret = client_secret;
+		client_metadata.client_secret_expires_at = 0;
+
+		if not registration_options.accept_expired then
+			client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
+		end
 	end
 
 	return client_metadata;