764 end |
764 end |
765 end |
765 end |
766 |
766 |
767 for field, prop_schema in pairs(registration_schema.properties) do |
767 for field, prop_schema in pairs(registration_schema.properties) do |
768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then |
768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then |
769 local components = url.parse(client_metadata[field]); |
769 if not redirect_uri_allowed(client_metadata[field], client_uri, "web") then |
770 if components.scheme ~= "https" then |
770 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); |
771 return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden"); |
|
772 end |
|
773 if components.authority ~= client_uri.authority then |
|
774 return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname"); |
|
775 end |
771 end |
776 end |
772 end |
777 end |
773 end |
778 |
774 |
779 -- Localized URIs should be secure too |
775 -- Localized URIs should be secure too |
780 for k, v in pairs(client_metadata) do |
776 for k, v in pairs(client_metadata) do |
781 if k:find"_uri#" then |
777 if k:find"_uri#" then |
782 local uri = url.parse(v); |
778 if not redirect_uri_allowed(v, client_uri, "web") then |
783 if not uri or uri.scheme ~= "https" then |
779 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); |
784 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k); |
|
785 elseif uri.host ~= client_uri.host then |
|
786 return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri"); |
|
787 end |
780 end |
788 end |
781 end |
789 end |
782 end |
790 |
783 |
791 -- Ensure each signed client_id JWT is unique, short ID and issued at |
784 -- Ensure each signed client_id JWT is unique, short ID and issued at |