1418 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); |
1418 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); |
1419 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then |
1419 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then |
1420 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); |
1420 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified"); |
1421 end |
1421 end |
1422 |
1422 |
1423 -- Do we want to keep everything? |
|
1424 local client_id = sign_client(client_metadata); |
|
1425 |
|
1426 client_metadata.client_id = client_id; |
|
1427 client_metadata.client_id_issued_at = os.time(); |
|
1428 |
|
1429 if client_metadata.token_endpoint_auth_method ~= "none" then |
1423 if client_metadata.token_endpoint_auth_method ~= "none" then |
1430 -- Ensure that each client_id JWT with a client_secret is unique. |
1424 -- Ensure that each client_id JWT with a client_secret is unique. |
1431 -- A short ID along with the issued at timestamp should be sufficient to |
1425 -- A short ID along with the issued at timestamp should be sufficient to |
1432 -- rule out brute force attacks. |
1426 -- rule out brute force attacks. |
1433 -- Not needed for public clients without a secret, but those are expected |
1427 -- Not needed for public clients without a secret, but those are expected |
1434 -- to be uncommon since they can only do the insecure implicit flow. |
1428 -- to be uncommon since they can only do the insecure implicit flow. |
1435 client_metadata.nonce = id.short(); |
1429 client_metadata.nonce = id.short(); |
1436 |
1430 end |
1437 local client_secret = make_client_secret(client_id, client_metadata); |
1431 |
|
1432 -- Do we want to keep everything? |
|
1433 local client_id = sign_client(client_metadata); |
|
1434 |
|
1435 client_metadata.client_id = client_id; |
|
1436 client_metadata.client_id_issued_at = os.time(); |
|
1437 |
|
1438 if client_metadata.token_endpoint_auth_method ~= "none" then |
|
1439 local client_secret = make_client_secret(client_id); |
1438 client_metadata.client_secret = client_secret; |
1440 client_metadata.client_secret = client_secret; |
1439 client_metadata.client_secret_expires_at = 0; |
1441 client_metadata.client_secret_expires_at = 0; |
1440 |
1442 |
1441 if not registration_options.accept_expired then |
1443 if not registration_options.accept_expired then |
1442 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); |
1444 client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600); |