--- a/mod_http_oauth2/mod_http_oauth2.lua Wed May 17 00:55:50 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Wed May 17 13:51:30 2023 +0200
@@ -236,6 +236,17 @@
};
end
+local function normalize_loopback(uri)
+ local u = url.parse(uri);
+ if u.scheme == "http" and loopbacks:contains(u.host) then
+ u.authority = nil;
+ u.host = "::1";
+ u.port = nil;
+ return url.build(u);
+ end
+ -- else, not a valid loopback uri
+end
+
local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
if not query_redirect_uri then
if #client.redirect_uris ~= 1 then
@@ -251,11 +262,19 @@
return redirect_uri
end
end
- -- FIXME The authorization server MUST allow any port to be specified at the
- -- time of the request for loopback IP redirect URIs, to accommodate clients
- -- that obtain an available ephemeral port from the operating system at the
- -- time of the request.
+ -- The authorization server MUST allow any port to be specified at the time
+ -- of the request for loopback IP redirect URIs, to accommodate clients that
+ -- obtain an available ephemeral port from the operating system at the time
+ -- of the request.
-- https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#section-8.4.2
+ local loopback_redirect_uri = normalize_loopback(query_redirect_uri);
+ if loopback_redirect_uri then
+ for _, redirect_uri in ipairs(client.redirect_uris) do
+ if loopback_redirect_uri == normalize_loopback(redirect_uri) then
+ return query_redirect_uri;
+ end
+ end
+ end
end
local grant_type_handlers = {};