Software / code / prosody-modules
Changeset
5559:d7fb8b266663
mod_http_oauth2: Strip unknown client metadata
Per RFC 7591
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
This was previously done but unintentionally removed in 90449babaa48
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 20 Jun 2023 01:11:34 +0200 |
| parents | 5558:3276750332ea |
| children | 5560:697d799fe601 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 7 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Mon Jun 19 01:26:56 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Jun 20 01:11:34 2023 +0200 @@ -979,6 +979,13 @@ end end + -- MUST ignore any metadata that it does not understand + for propname in pairs(client_metadata) do + if not registration_schema.properties[propname] then + client_metadata[propname] = nil; + end + end + local client_uri = url.parse(client_metadata.client_uri); if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
