Software /
code /
prosody-modules
Annotate
mod_http_oauth2/README.markdown @ 5416:2393dbae51ed
mod_http_oauth2: Add option for specifying TTL of registered clients
Meant to simplify configuration, since TTL vs ignoring expiration is
expected to be the main thing one would want to configure.
Unsure what the implications of having unlimited lifetime of clients
are, given no way to revoke them currently, short of rotating the
signing secret.
On one hand, it would be annoying to have the client expire.
On the other hand, it is trivial to re-register it.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 04 May 2023 18:41:33 +0200 |
parent | 5410:644b2f2b9b52 |
child | 5464:2a11f590c5c8 |
rev | line source |
---|---|
3903
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 --- |
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 labels: |
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 - Stage-Alpha |
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 summary: 'OAuth2 API' |
5212
3235b8bd1e55
mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents:
5197
diff
changeset
|
5 rockspec: |
3235b8bd1e55
mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents:
5197
diff
changeset
|
6 build: |
3235b8bd1e55
mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents:
5197
diff
changeset
|
7 copy_directories: |
3235b8bd1e55
mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents:
5197
diff
changeset
|
8 - html |
3903
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 ... |
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
11 ## Introduction |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
12 |
5315
8501baa7ef3f
mod_http_oauth2/README: Link to OAuth and OIDC sites
Kim Alvefur <zash@zash.se>
parents:
5313
diff
changeset
|
13 This module implements an [OAuth2](https://oauth.net/2/)/[OpenID Connect |
8501baa7ef3f
mod_http_oauth2/README: Link to OAuth and OIDC sites
Kim Alvefur <zash@zash.se>
parents:
5313
diff
changeset
|
14 (OIDC)](https://openid.net/connect/) provider HTTP frontend on top of |
8501baa7ef3f
mod_http_oauth2/README: Link to OAuth and OIDC sites
Kim Alvefur <zash@zash.se>
parents:
5313
diff
changeset
|
15 Prosody's usual internal authentication backend. |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
16 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
17 OAuth and OIDC are web standards that allow you to provide clients and |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
18 third-party applications limited access to your account, without sharing your |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
19 password with them. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
20 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
21 With this module deployed, software that supports OAuth can obtain "access |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
22 tokens" from Prosody which can then be used to connect to XMPP accounts using |
5316
4fc3277a914d
mod_http_oauth2/README: Link to mod_rest
Kim Alvefur <zash@zash.se>
parents:
5315
diff
changeset
|
23 the 'OAUTHBEARER' SASL mechanism or via non-XMPP interfaces such as [mod_rest]. |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
24 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
25 Although this module has been around for some time, it has recently been |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
26 significantly extended and largely rewritten to support OAuth/OIDC more fully. |
3903
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
28 As of April 2023, it should be considered **alpha** stage. It works, we have |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
29 tested it, but it has not yet seen wider review, testing and deployment. At |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
30 this stage we recommend it for experimental and test deployments only. For |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
31 specific information, see the [deployment notes section](#deployment-notes) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
32 below. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
33 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
34 Known client implementations: |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
35 |
5328
dd8616e68cb3
mod_http_oauth2/README: Add rest.sh to known implementations
Kim Alvefur <zash@zash.se>
parents:
5316
diff
changeset
|
36 - [example shell script for mod_rest](https://hg.prosody.im/prosody-modules/file/tip/mod_rest/example/rest.sh) |
dd8616e68cb3
mod_http_oauth2/README: Add rest.sh to known implementations
Kim Alvefur <zash@zash.se>
parents:
5316
diff
changeset
|
37 - *(we need you!)* |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
38 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
39 Support for OAUTHBEARER has been added to the Lua XMPP library, [verse](https://code.matthewwild.co.uk/verse). |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
40 If you know of additional implementations, or are motivated to work on one, |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
41 please let us know! We'd be happy to help (e.g. by providing a test server). |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
42 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
43 ## Standards support |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
44 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
45 Notable supported standards: |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
46 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
47 - [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749) |
5410
644b2f2b9b52
mod_http_oauth2: Link to RFC 7009: OAuth 2.0 Token Revocation
Kim Alvefur <zash@zash.se>
parents:
5408
diff
changeset
|
48 - [RFC 7009: OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009) |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
49 - [RFC 7628: A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth](https://www.rfc-editor.org/rfc/rfc7628) |
5383
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5328
diff
changeset
|
50 - [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/rfc/rfc7636) |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
51 - [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
52 - [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) & [RFC 7591: OAuth 2.0 Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591.html) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
53 - [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
54 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
55 ## Configuration |
3903
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
57 ### Interface |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
58 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
59 The module presents a web page to users to allow them to authenticate when |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
60 a client requests access. Built-in pages are provided, but you may also theme |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
61 or entirely override them. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
62 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
63 This module honours the 'site_name' configuration option that is also used by |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
64 a number of other modules: |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
65 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
66 ```lua |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
67 site_name = "My XMPP Server" |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
68 ``` |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
69 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
70 To provide custom templates, specify the path to the template directory: |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
71 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
72 ```lua |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
73 oauth2_template_path = "/etc/prosody/custom-oauth2-templates" |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
74 ``` |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
75 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
76 Some templates support additional variables, that can be provided by the |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
77 'oauth2_template_style' option: |
3903
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
79 ```lua |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
80 oauth2_template_style = { |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
81 background_colour = "#ffffff"; |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
82 } |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
83 ``` |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
84 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
85 ### Token parameters |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
86 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
87 The following options configure the lifetime of tokens issued by the module. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
88 The defaults are recommended. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
89 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
90 ```lua |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
91 oauth2_access_token_ttl = 86400 -- 24 hours |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
92 oauth2_refresh_token_ttl = nil -- unlimited unless revoked by the user |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
93 ``` |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
94 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
95 ### Dynamic client registration |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
96 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
97 To allow users to connect any compatible software, you should enable dynamic |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
98 client registration. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
99 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
100 Dynamic client registration can be enabled by configuring a JWT key. Algorithm |
5416
2393dbae51ed
mod_http_oauth2: Add option for specifying TTL of registered clients
Kim Alvefur <zash@zash.se>
parents:
5410
diff
changeset
|
101 defaults to *HS256* lifetime defaults to forever. |
5197
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
102 |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
103 ```lua |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
104 oauth2_registration_key = "securely generated JWT key here" |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
105 oauth2_registration_algorithm = "HS256" |
5416
2393dbae51ed
mod_http_oauth2: Add option for specifying TTL of registered clients
Kim Alvefur <zash@zash.se>
parents:
5410
diff
changeset
|
106 oauth2_registration_ttl = nil -- unlimited by default |
5197
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
107 ``` |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
108 |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
109 ### Supported flows |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
110 |
5197
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
111 Various flows can be disabled and enabled with |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
112 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`: |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
113 |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
114 ```lua |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
115 allowed_oauth2_grant_types = { |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
116 "authorization_code"; -- authorization code grant |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
117 "password"; -- resource owner password grant |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
118 } |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
119 |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
120 allowed_oauth2_response_types = { |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
121 "code"; -- authorization code flow |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
122 -- "token"; -- implicit flow disabled by default |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
123 } |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
124 ``` |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4923
diff
changeset
|
125 |
5383
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5328
diff
changeset
|
126 The [Proof Key for Code Exchange][RFC 7636] mitigation method can be |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5328
diff
changeset
|
127 made required: |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5328
diff
changeset
|
128 |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5328
diff
changeset
|
129 ```lua |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5328
diff
changeset
|
130 oauth2_require_code_challenge = true |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5328
diff
changeset
|
131 ``` |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5328
diff
changeset
|
132 |
5384
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
133 Further, individual challenge methods can be enabled or disabled: |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
134 |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
135 ```lua |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
136 allowed_oauth2_code_challenge_methods = { |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
137 "plain"; -- the insecure one |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
138 "S256"; |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
139 } |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
140 ``` |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5383
diff
changeset
|
141 |
5408
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
142 ### Policy documents |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
143 |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
144 Links to Terms of Service and Service Policy documents can be advertised |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
145 for use by OAuth clients: |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
146 |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
147 ```lua |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
148 oauth2_terms_url = "https://example.com/terms-of-service.html" |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
149 oauth2_policy_url = "https://example.com/service-policy.pdf" |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
150 ``` |
3989c57cc551
mod_http_oauth2: Allow configuring links to policy and terms in metadata
Kim Alvefur <zash@zash.se>
parents:
5384
diff
changeset
|
151 |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
152 ## Deployment notes |
3903
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
153 |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
154 ### Access management |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
155 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
156 This module does not provide an interface for users to manage what they have |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
157 granted access to their account! (e.g. to view and revoke clients they have |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
158 previously authorized). It is recommended to join this module with |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
159 mod_client_management to provide such access. However, at the time of writing, |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
160 no XMPP clients currently support the protocol used by that module. We plan to |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
161 work on additional interfaces in the future. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
162 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
163 ### Scopes |
3903
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
164 |
5313
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
165 OAuth supports "scopes" as a way to grant clients limited access. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
166 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
167 There are currently no standard scopes defined for XMPP. This is something |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
168 that we intend to change, e.g. by definitions provided in a future XEP. This |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
169 means that clients you authorize currently have unrestricted access to your |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
170 account (including the ability to change your password and lock you out!). So, |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
171 for now, while using OAuth clients can prevent leaking your password to them, |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
172 it is not currently suitable for connecting untrusted clients to your account. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
173 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
174 ## Compatibility |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
175 |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
176 Requires Prosody trunk (April 2023), **not** compatible with Prosody 0.12 or |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5212
diff
changeset
|
177 earlier. |