--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Jun 25 23:53:15 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jun 26 00:19:05 2023 +0200
@@ -1018,10 +1018,6 @@
return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified");
end
- -- Ensure each signed client_id JWT is unique, short ID and issued at
- -- timestamp should be sufficient to rule out brute force attacks
- client_metadata.nonce = id.short();
-
-- Do we want to keep everything?
local client_id = sign_client(client_metadata);
@@ -1029,7 +1025,14 @@
client_metadata.client_id_issued_at = os.time();
if client_metadata.token_endpoint_auth_method ~= "none" then
- local client_secret = make_client_secret(client_id);
+ -- Ensure that each client_id JWT with a client_secret is unique.
+ -- A short ID along with the issued at timestamp should be sufficient to
+ -- rule out brute force attacks.
+ -- Not needed for public clients without a secret, but those are expected
+ -- to be uncommon since they can only do the insecure implicit flow.
+ client_metadata.nonce = id.short();
+
+ local client_secret = make_client_secret(client_id, client_metadata);
client_metadata.client_secret = client_secret;
client_metadata.client_secret_expires_at = 0;