598 |
598 |
599 if not schema.validate(registration_schema, client_metadata) then |
599 if not schema.validate(registration_schema, client_metadata) then |
600 return oauth_error("invalid_request", "Failed schema validation."); |
600 return oauth_error("invalid_request", "Failed schema validation."); |
601 end |
601 end |
602 |
602 |
|
603 local redirect_hosts = set.new(); |
603 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do |
604 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do |
604 local components = url.parse(redirect_uri); |
605 local components = url.parse(redirect_uri); |
605 if not components or not components.scheme then |
606 if not components or not components.scheme then |
606 return oauth_error("invalid_request", "Invalid redirect URI."); |
607 return oauth_error("invalid_request", "Invalid redirect URI."); |
607 elseif components.scheme == "http" and components.host ~= "localhost" then |
608 elseif components.scheme == "http" and components.host ~= "localhost" then |
608 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); |
609 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); |
|
610 elseif components.scheme == "https" then |
|
611 redirect_hosts:add(components.host); |
|
612 end |
|
613 end |
|
614 |
|
615 for field, prop_schema in pairs(registration_schema) do |
|
616 if prop_schema.format == "uri" and client_metadata[field] then |
|
617 local components = url.parse(client_metadata[field]); |
|
618 if components.scheme ~= "https" then |
|
619 return oauth_error("invalid_request", "Insecure URI forbidden"); |
|
620 end |
|
621 if not redirect_hosts:contains(components.host) then |
|
622 return oauth_error("invalid_request", "Informative URI must match redirect URIs"); |
|
623 end |
609 end |
624 end |
610 end |
625 end |
611 |
626 |
612 -- Ensure each signed client_id JWT is unique |
627 -- Ensure each signed client_id JWT is unique |
613 client_metadata.nonce = uuid.generate(); |
628 client_metadata.nonce = uuid.generate(); |