Software / code / prosody-modules
Changeset
6323:4f9b42c53d0f
mod_http_oauth2: Check grant type before issuing refresh token
This prevents even issuing a refresh token to a client that has not
registered the corresponding grant type.
The grant type dispatcher also checks before invoking the refresh token
grant type handler.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 03 Jul 2025 15:34:42 +0200 |
| parents | 6322:dfc035ecabb4 |
| children | 6324:5dc4ec836ce2 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 5 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu Jul 03 12:32:43 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Jul 03 15:34:42 2025 +0200 @@ -309,6 +309,10 @@ }; end +local function may_issue_refresh_token(client, scope_string) + return array_contains(client.grant_types, "refresh_token") and array_contains(parse_scopes(scope_string), "offline_access"); +end + local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info) local token_data = { oauth2_scopes = scope_string, oauth2_client = nil }; if client then @@ -334,7 +338,7 @@ end -- in with the new refresh token local refresh_token; - if refresh_token_info ~= false and array_contains(parse_scopes(scope_string), "offline_access") then + if refresh_token_info ~= false and may_issue_refresh_token(client, scope_string) then refresh_token = tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh"); end
