Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5518:d87d0e4a8516
mod_http_oauth2: Validate the OpenID 'prompt' parameter
Without support for affecting the login and consent procedure, it seems
sensible to inform the client that they can't change anything with this
parameter.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 05 Jun 2023 22:19:17 +0200 |
| parents | 61b8d3eb91a4 |
| children | 83ebfc367169 |
comparison
equal
deleted
inserted
replaced
| 5517:a08abbd1045d | 5518:d87d0e4a8516 |
|---|---|
| 772 if client.scope then | 772 if client.scope then |
| 773 local client_scopes = set.new(parse_scopes(client.scope)); | 773 local client_scopes = set.new(parse_scopes(client.scope)); |
| 774 requested_scopes:filter(function(scope) | 774 requested_scopes:filter(function(scope) |
| 775 return client_scopes:contains(scope); | 775 return client_scopes:contains(scope); |
| 776 end); | 776 end); |
| 777 end | |
| 778 | |
| 779 -- The 'prompt' parameter from OpenID Core | |
| 780 local prompt = set.new(parse_scopes(params.prompt or "select_account login consent")); | |
| 781 if prompt:contains("none") then | |
| 782 -- Client wants no interaction, only confirmation of prior login and | |
| 783 -- consent, but this is not implemented. | |
| 784 return error_response(request, redirect_uri, oauth_error("interaction_required")); | |
| 785 elseif not prompt:contains("select_account") then | |
| 786 -- TODO If the login page is split into account selection followed by login | |
| 787 -- (e.g. password), and then the account selection could be skipped iff the | |
| 788 -- 'login_hint' parameter is present. | |
| 789 return error_response(request, redirect_uri, oauth_error("account_selection_required")); | |
| 790 elseif not prompt:contains("login") then | |
| 791 -- Currently no cookies or such are used, so login is required every time. | |
| 792 return error_response(request, redirect_uri, oauth_error("login_required")); | |
| 793 elseif not prompt:contains("consent") then | |
| 794 -- Are there any circumstances when consent would be implied or assumed? | |
| 795 return error_response(request, redirect_uri, oauth_error("consent_required")); | |
| 777 end | 796 end |
| 778 | 797 |
| 779 local auth_state = get_auth_state(request); | 798 local auth_state = get_auth_state(request); |
| 780 if not auth_state.user then | 799 if not auth_state.user then |
| 781 -- Render login page | 800 -- Render login page |
