Software / code / prosody-modules
Changeset
5384:b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
You'd pretty much only want this to disable the 'plain' method, since it
doesn't seem to add that much security?
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 29 Apr 2023 13:09:49 +0200 |
| parents | 5383:df11a2cbc7b7 |
| children | 5385:544b92750a2a |
| files | mod_http_oauth2/README.markdown mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 2 files changed, 19 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown Sat Apr 29 13:09:46 2023 +0200 +++ b/mod_http_oauth2/README.markdown Sat Apr 29 13:09:49 2023 +0200 @@ -129,6 +129,15 @@ oauth2_require_code_challenge = true ``` +Further, individual challenge methods can be enabled or disabled: + +```lua +allowed_oauth2_code_challenge_methods = { + "plain"; -- the insecure one + "S256"; +} +``` + ## Deployment notes ### Access management
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 29 13:09:46 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 29 13:09:49 2023 +0200 @@ -562,6 +562,16 @@ end end +local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" }) +for handler_type in pairs(verifier_transforms) do + if not allowed_challenge_methods:contains(handler_type) then + module:log("debug", "Challenge method %q disabled", handler_type); + verifier_transforms[handler_type] = nil; + else + module:log("debug", "Challenge method %q enabled", handler_type); + end +end + function handle_token_grant(event) local credentials = get_request_credentials(event.request);
