comparison mod_http_oauth2/mod_http_oauth2.lua @ 6204:4f0ed0e3ad5a

mod_http_oauth2: Require client authentication for password grant
author magicfelix <felix@felix-zauberer.de>
date Sat, 19 Apr 2025 16:42:21 +0200
parents a1a33f0f6f6e
children c1b94dd6e53b
comparison
equal deleted inserted replaced
6203:5ab0e560027a 6204:4f0ed0e3ad5a
395 -- Access tokens are delivered via redirect when using the implict flow, not 395 -- Access tokens are delivered via redirect when using the implict flow, not
396 -- via the token endpoint, so how did you get here? 396 -- via the token endpoint, so how did you get here?
397 return oauth_error("invalid_request"); 397 return oauth_error("invalid_request");
398 end 398 end
399 399
400 local function make_client_secret(client_id) --> client_secret
401 return hashes.hmac_sha256(verification_key, client_id, true);
402 end
403
404 local function verify_client_secret(client_id, client_secret)
405 return hashes.equals(make_client_secret(client_id), client_secret);
406 end
407
400 function grant_type_handlers.password(params) 408 function grant_type_handlers.password(params)
409 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
410 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
411
412 local client = check_client(params.client_id);
413 if not client then
414 return oauth_error("invalid_client", "incorrect credentials");
415 end
416
417 if not verify_client_secret(params.client_id, params.client_secret) then
418 module:log("debug", "client_secret mismatch");
419 return oauth_error("invalid_client", "incorrect credentials");
420 end
421
401 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); 422 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
402 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); 423 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
403 local request_username, request_host, request_resource = jid.prepped_split(request_jid); 424 local request_username, request_host, request_resource = jid.prepped_split(request_jid);
404 425
405 if not (request_username and request_host) or request_host ~= module.host then 426 if not (request_username and request_host) or request_host ~= module.host then
501 cache_control = "no-store"; 522 cache_control = "no-store";
502 pragma = "no-cache"; 523 pragma = "no-cache";
503 location = url.build(redirect); 524 location = url.build(redirect);
504 }; 525 };
505 } 526 }
506 end
507
508 local function make_client_secret(client_id) --> client_secret
509 return hashes.hmac_sha256(verification_key, client_id, true);
510 end
511
512 local function verify_client_secret(client_id, client_secret)
513 return hashes.equals(make_client_secret(client_id), client_secret);
514 end 527 end
515 528
516 function grant_type_handlers.authorization_code(params) 529 function grant_type_handlers.authorization_code(params)
517 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end 530 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
518 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end 531 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end