mod_http_oauth2: Validate (unused at this point) localized URIs
Client registration may include keys of the form "some_uri#lang-code"
pointing to alternate language versions of the various URIs. We don't
use this yet but the same validation should apply.
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 22 14:06:41 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 22 14:02:56 2023 +0200
@@ -670,6 +670,7 @@
software_version = { type = "string" };
};
-- Localized versions of descriptive properties and URIs
+ patternProperties = { ["^[a-z_]+_uri#"] = { type = "string"; format = "uri"; pattern = "^https:" } };
additionalProperties = { type = "string" };
}
@@ -706,6 +707,18 @@
end
end
+ -- Localized URIs should be secure too
+ for k, v in pairs(client_metadata) do
+ if k:find"_uri#" then
+ local uri = url.parse(v);
+ if not uri or uri.scheme ~= "https" then
+ return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k);
+ elseif uri.host ~= client_uri.host then
+ return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri");
+ end
+ end
+ end
+
-- Ensure each signed client_id JWT is unique, short ID and issued at
-- timestamp should be sufficient to rule out brute force attacks
client_metadata.nonce = id.short();