mod_http_oauth2: Strip unknown scopes from consent page
Since the scope string can be any arbitrary space-separated strings.
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun May 07 20:24:18 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sun May 07 20:25:18 2023 +0200
@@ -651,7 +651,8 @@
return render_page(templates.login, { state = auth_state, client = client });
elseif auth_state.consent == nil then
-- Render consent page
- return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope or "") }, true);
+ local scopes, roles = split_scopes(parse_scopes(params.scope or ""));
+ return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true);
elseif not auth_state.consent then
-- Notify client of rejection
return error_response(request, oauth_error("access_denied"));