Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 6243:5b269511ade7
mod_http_oauth2: Forbid inclusion of disabled grant and response types
Better than asserting that at least one allowed grant or response type
is included.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 03 Jun 2025 17:04:19 +0200 |
| parents | ef81c67e1ae7 |
| children | b7eb7d256939 |
comparison
equal
deleted
inserted
replaced
| 6242:ef81c67e1ae7 | 6243:5b269511ade7 |
|---|---|
| 1459 end | 1459 end |
| 1460 | 1460 |
| 1461 local grant_types = set.new(client_metadata.grant_types); | 1461 local grant_types = set.new(client_metadata.grant_types); |
| 1462 local response_types = set.new(client_metadata.response_types); | 1462 local response_types = set.new(client_metadata.response_types); |
| 1463 | 1463 |
| 1464 if not (grant_types - allowed_grant_type_handlers):empty() then | |
| 1465 return nil, oauth_error("invalid_client_metadata", "Disallowed 'grant_types' specified"); | |
| 1466 elseif not (response_types - allowed_response_type_handlers):empty() then | |
| 1467 return nil, oauth_error("invalid_client_metadata", "Disallowed 'response_types' specified"); | |
| 1468 end | |
| 1469 | |
| 1464 if grant_types:contains("authorization_code") and not response_types:contains("code") then | 1470 if grant_types:contains("authorization_code") and not response_types:contains("code") then |
| 1465 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); | 1471 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); |
| 1466 elseif grant_types:contains("implicit") and not response_types:contains("token") then | 1472 elseif grant_types:contains("implicit") and not response_types:contains("token") then |
| 1467 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); | 1473 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); |
| 1468 end | |
| 1469 | |
| 1470 if set.intersection(grant_types, allowed_grant_type_handlers):empty() then | |
| 1471 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); | |
| 1472 end | 1474 end |
| 1473 | 1475 |
| 1474 if client_metadata.token_endpoint_auth_method ~= "none" then | 1476 if client_metadata.token_endpoint_auth_method ~= "none" then |
| 1475 -- Ensure that each client_id JWT with a client_secret is unique. | 1477 -- Ensure that each client_id JWT with a client_secret is unique. |
| 1476 -- A short ID along with the issued at timestamp should be sufficient to | 1478 -- A short ID along with the issued at timestamp should be sufficient to |
