Mercurial Mercurial > prosody > prosody-modules / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2/mod_http_oauth2.lua
changeset 5410 b86d80e21c60
parent 5409 c7a5caad28ef
child 5411 149634647b48 
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:31:25 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:34:31 2023 +0200
@@ -791,6 +791,21 @@
 		end
 	end
 
+	local grant_types = set.new(client_metadata.grant_types);
+	local response_types = set.new(client_metadata.response_types);
+
+	if grant_types:contains("authorization_code") and not response_types:contains("code") then
+		return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
+	elseif grant_types:contains("implicit") and not response_types:contains("token") then
+		return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
+	end
+
+	if set.intersection(grant_types, allowed_grant_type_handlers):empty() then
+		return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified");
+	elseif set.intersection(response_types, allowed_response_type_handlers):empty() then
+		return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified");
+	end
+
 	-- Ensure each signed client_id JWT is unique, short ID and issued at
 	-- timestamp should be sufficient to rule out brute force attacks
 	client_metadata.nonce = id.short();
prosody-modules