Changeset

5219:25e824f64fd3

mod_http_oauth2: Improve handling of redirect_uri matching and fallback Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it registered multiple. If it only registered a single URI, it may be omitted from the authorize request.
author Matthew Wild <mwild1@gmail.com>
date Tue, 07 Mar 2023 13:19:19 +0000
parents 5218:1f4b768c831a
children 5220:d03448560acf
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 12 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 07 13:14:25 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 07 13:19:19 2023 +0000
@@ -145,8 +145,17 @@
 end
 
 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
+	if not query_redirect_uri then
+		if #client.redirect_uris ~= 1 then
+			-- Client registered multiple URIs, it needs specify which one to use
+			return;
+		end
+		-- When only a single URI is registered, that's the default
+		return client.redirect_uris[1];
+	end
+	-- Verify the client-provided URI matches one previously registered
 	for _, redirect_uri in ipairs(client.redirect_uris) do
-		if query_redirect_uri == nil or query_redirect_uri == redirect_uri then
+		if query_redirect_uri == redirect_uri then
 			return redirect_uri
 		end
 	end
@@ -199,6 +208,8 @@
 			extra = code;
 		}) or ("Here's your authorization code:\n%s\n"):format(code);
 		return response;
+	elseif not redirect_uri then
+		return {status_code = 400};
 	end
 
 	local redirect = url.parse(redirect_uri);