comparison mod_http_oauth2/mod_http_oauth2.lua @ 6278:4f9b42c53d0f

mod_http_oauth2: Check grant type before issuing refresh token This prevents even issuing a refresh token to a client that has not registered the corresponding grant type. The grant type dispatcher also checks before invoking the refresh token grant type handler.
author Kim Alvefur <zash@zash.se>
date Thu, 03 Jul 2025 15:34:42 +0200
parents dfc035ecabb4
children 5dc4ec836ce2
comparison
equal deleted inserted replaced
6277:dfc035ecabb4 6278:4f9b42c53d0f
307 version = client.software_version; 307 version = client.software_version;
308 hash = client.client_hash; 308 hash = client.client_hash;
309 }; 309 };
310 end 310 end
311 311
312 local function may_issue_refresh_token(client, scope_string)
313 return array_contains(client.grant_types, "refresh_token") and array_contains(parse_scopes(scope_string), "offline_access");
314 end
315
312 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info) 316 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info)
313 local token_data = { oauth2_scopes = scope_string, oauth2_client = nil }; 317 local token_data = { oauth2_scopes = scope_string, oauth2_client = nil };
314 if client then 318 if client then
315 token_data.oauth2_client = client_subset(client); 319 token_data.oauth2_client = client_subset(client);
316 end 320 end
332 return 500; 336 return 500;
333 end 337 end
334 end 338 end
335 -- in with the new refresh token 339 -- in with the new refresh token
336 local refresh_token; 340 local refresh_token;
337 if refresh_token_info ~= false and array_contains(parse_scopes(scope_string), "offline_access") then 341 if refresh_token_info ~= false and may_issue_refresh_token(client, scope_string) then
338 refresh_token = tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh"); 342 refresh_token = tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh");
339 end 343 end
340 344
341 if role == "xmpp" then 345 if role == "xmpp" then
342 -- Special scope meaning the users default role. 346 -- Special scope meaning the users default role.