comparison mod_http_oauth2/mod_http_oauth2.lua @ 6243:5b269511ade7

mod_http_oauth2: Forbid inclusion of disabled grant and response types Better than asserting that at least one allowed grant or response type is included.
author Kim Alvefur <zash@zash.se>
date Tue, 03 Jun 2025 17:04:19 +0200
parents ef81c67e1ae7
children b7eb7d256939
comparison
equal deleted inserted replaced
6242:ef81c67e1ae7 6243:5b269511ade7
1459 end 1459 end
1460 1460
1461 local grant_types = set.new(client_metadata.grant_types); 1461 local grant_types = set.new(client_metadata.grant_types);
1462 local response_types = set.new(client_metadata.response_types); 1462 local response_types = set.new(client_metadata.response_types);
1463 1463
1464 if not (grant_types - allowed_grant_type_handlers):empty() then
1465 return nil, oauth_error("invalid_client_metadata", "Disallowed 'grant_types' specified");
1466 elseif not (response_types - allowed_response_type_handlers):empty() then
1467 return nil, oauth_error("invalid_client_metadata", "Disallowed 'response_types' specified");
1468 end
1469
1464 if grant_types:contains("authorization_code") and not response_types:contains("code") then 1470 if grant_types:contains("authorization_code") and not response_types:contains("code") then
1465 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); 1471 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
1466 elseif grant_types:contains("implicit") and not response_types:contains("token") then 1472 elseif grant_types:contains("implicit") and not response_types:contains("token") then
1467 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); 1473 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
1468 end
1469
1470 if set.intersection(grant_types, allowed_grant_type_handlers):empty() then
1471 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified");
1472 end 1474 end
1473 1475
1474 if client_metadata.token_endpoint_auth_method ~= "none" then 1476 if client_metadata.token_endpoint_auth_method ~= "none" then
1475 -- Ensure that each client_id JWT with a client_secret is unique. 1477 -- Ensure that each client_id JWT with a client_secret is unique.
1476 -- A short ID along with the issued at timestamp should be sufficient to 1478 -- A short ID along with the issued at timestamp should be sufficient to