--- a/mod_http_oauth2/mod_http_oauth2.lua Mon Dec 04 00:23:19 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Dec 04 21:07:54 2023 +0100
@@ -1420,6 +1420,15 @@
return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified");
end
+ if client_metadata.token_endpoint_auth_method ~= "none" then
+ -- Ensure that each client_id JWT with a client_secret is unique.
+ -- A short ID along with the issued at timestamp should be sufficient to
+ -- rule out brute force attacks.
+ -- Not needed for public clients without a secret, but those are expected
+ -- to be uncommon since they can only do the insecure implicit flow.
+ client_metadata.nonce = id.short();
+ end
+
-- Do we want to keep everything?
local client_id = sign_client(client_metadata);
@@ -1427,14 +1436,7 @@
client_metadata.client_id_issued_at = os.time();
if client_metadata.token_endpoint_auth_method ~= "none" then
- -- Ensure that each client_id JWT with a client_secret is unique.
- -- A short ID along with the issued at timestamp should be sufficient to
- -- rule out brute force attacks.
- -- Not needed for public clients without a secret, but those are expected
- -- to be uncommon since they can only do the insecure implicit flow.
- client_metadata.nonce = id.short();
-
- local client_secret = make_client_secret(client_id, client_metadata);
+ local client_secret = make_client_secret(client_id);
client_metadata.client_secret = client_secret;
client_metadata.client_secret_expires_at = 0;