diff mod_http_oauth2/mod_http_oauth2.lua @ 6516:3b69df385f66

mod_http_oauth2: Normalize the password in the password grant Otherwise entering passwords in non-normal form might lead to authentication failures.
author Kim Alvefur <zash@zash.se>
date Wed, 08 Apr 2026 23:12:13 +0200
parents ff55e93be449
children
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Wed Apr 08 23:08:39 2026 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed Apr 08 23:12:13 2026 +0200
@@ -465,6 +465,10 @@
 	if not request_password then
 		return oauth_error("invalid_request", "missing 'password'");
 	end
+	request_password = encodings.stringprep.saslprep(request_password);
+	if not request_password then
+		return oauth_error("invalid_request", "invalid 'password'");
+	end
 
 	local auth_event = {
 		session = {