Software / code / prosody-modules
Changeset
6326:17d9533f7596
mod_http_oauth2: Reject invalid attempt to register client without credentials
The implicit flow works without a client_secret since the token is
delivered directly, but all other currently supported grant types
require client to authenticate using credentials, so it makes no sense
to not issue credentials then.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 03 Jul 2025 15:45:00 +0200 |
| parents | 6325:6ea80b73d8f2 |
| children | 6327:578fa5d97daa |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 2 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu Jul 03 15:42:42 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Jul 03 15:45:00 2025 +0200 @@ -1545,6 +1545,8 @@ -- Not needed for public clients without a secret, but those are expected -- to be uncommon since they can only do the insecure implicit flow. client_metadata.nonce = id.short(); + elseif grant_types ~= set.new({ "implicit" }) then + return nil, oauth_error("invalid_client_metadata", "A 'token_endpoint_auth_method' value of 'none' only works with the 'implicit' grant"); end -- Do we want to keep everything?
