comparison mod_http_oauth2/mod_http_oauth2.lua @ 6237:9d88c3d9eea5

mod_http_oauth2: Enforce the registered grant types Thus a client can limit itself to certain grant types. Not sure if this prevents any attacks, but what was the point of including this in the registration if it was not going to be enforced? This became easier to do with client_id being available earlier.
author Kim Alvefur <zash@zash.se>
date Mon, 02 Jun 2025 20:55:20 +0200
parents b63202d66238
children 7b3316ac24b3
comparison
equal deleted inserted replaced
6236:4b52d579bc70 6237:9d88c3d9eea5
876 local grant_type = params.grant_type 876 local grant_type = params.grant_type
877 local grant_handler = grant_type_handlers[grant_type]; 877 local grant_handler = grant_type_handlers[grant_type];
878 if not grant_handler then 878 if not grant_handler then
879 return oauth_error("invalid_request", "No such grant type."); 879 return oauth_error("invalid_request", "No such grant type.");
880 end 880 end
881
882 local grant_type_allowed = false;
883 for _, client_grant_type in ipairs(client.grant_types or { "authorization_code" }) do
884 if client_grant_type == grant_type then
885 grant_type_allowed = true;
886 break
887 end
888 end
889
890 if not grant_type_allowed then
891 return oauth_error("invalid_request", "'grant_type' not registered");
892 end
893
881 return grant_handler(params, client); 894 return grant_handler(params, client);
882 end 895 end
883 896
884 local function handle_authorization_request(event) 897 local function handle_authorization_request(event)
885 local request = event.request; 898 local request = event.request;