mod_http_oauth2: Always render errors as HTML for OOB redirect URI
No invalid or insecure redirect URIs should make it to this point, so
the warning can be removed.
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu May 18 14:17:58 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Thu May 18 14:25:11 2023 +0200
@@ -180,10 +180,6 @@
local oob_uri = "urn:ietf:wg:oauth:2.0:oob";
local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
-local function is_secure_redirect(uri)
- local u = url.parse(uri);
- return u.scheme ~= "http" or loopbacks:contains(u.host);
-end
local function oauth_error(err_name, err_desc)
return errors.new({
@@ -607,8 +603,7 @@
-- the redirect_uri is missing or invalid. In those cases, we render an
-- error directly to the user-agent.
local function error_response(request, redirect_uri, err)
- if not redirect_uri or not is_secure_redirect(redirect_uri) then
- module:log("warn", "Missing or invalid redirect_uri %q, rendering error to user-agent", redirect_uri);
+ if not redirect_uri or redirect_uri == oob_uri then
return render_error(err);
end
local q = request.url.query and http.formdecode(request.url.query);