Software / code / prosody-modules
Changeset
6287:5b269511ade7
mod_http_oauth2: Forbid inclusion of disabled grant and response types
Better than asserting that at least one allowed grant or response type
is included.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 03 Jun 2025 17:04:19 +0200 |
| parents | 6286:ef81c67e1ae7 |
| children | 6288:b7eb7d256939 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 6 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue Jun 03 16:59:07 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Jun 03 17:04:19 2025 +0200 @@ -1461,16 +1461,18 @@ local grant_types = set.new(client_metadata.grant_types); local response_types = set.new(client_metadata.response_types); + if not (grant_types - allowed_grant_type_handlers):empty() then + return nil, oauth_error("invalid_client_metadata", "Disallowed 'grant_types' specified"); + elseif not (response_types - allowed_response_type_handlers):empty() then + return nil, oauth_error("invalid_client_metadata", "Disallowed 'response_types' specified"); + end + if grant_types:contains("authorization_code") and not response_types:contains("code") then return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); elseif grant_types:contains("implicit") and not response_types:contains("token") then return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); end - if set.intersection(grant_types, allowed_grant_type_handlers):empty() then - return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); - end - if client_metadata.token_endpoint_auth_method ~= "none" then -- Ensure that each client_id JWT with a client_secret is unique. -- A short ID along with the issued at timestamp should be sufficient to
