--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:25:50 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:31:02 2023 +0100
@@ -600,12 +600,27 @@
return oauth_error("invalid_request", "Failed schema validation.");
end
+ local redirect_hosts = set.new();
for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
local components = url.parse(redirect_uri);
if not components or not components.scheme then
return oauth_error("invalid_request", "Invalid redirect URI.");
elseif components.scheme == "http" and components.host ~= "localhost" then
return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)");
+ elseif components.scheme == "https" then
+ redirect_hosts:add(components.host);
+ end
+ end
+
+ for field, prop_schema in pairs(registration_schema) do
+ if prop_schema.format == "uri" and client_metadata[field] then
+ local components = url.parse(client_metadata[field]);
+ if components.scheme ~= "https" then
+ return oauth_error("invalid_request", "Insecure URI forbidden");
+ end
+ if not redirect_hosts:contains(components.host) then
+ return oauth_error("invalid_request", "Informative URI must match redirect URIs");
+ end
end
end