Software / code / prosody-modules
Annotate
mod_admin_blocklist/README.markdown @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 21:14:19 +0100 |
| parent | 5017:96e83b4a93f7 |
| rev | line source |
|---|---|
| 1855 | 1 --- |
| 2 summary: Block s2s connections based on admin blocklists | |
| 3 ... | |
| 4 | |
| 5 This module uses the blocklists set by admins for blocking s2s | |
| 6 connections. | |
| 7 | |
|
2315
212564152060
mod_admin_blocklist/README: Autolinks!
Kim Alvefur <zash@zash.se>
parents:
2314
diff
changeset
|
8 So if an admin blocks a bare domain using [Blocking Command][xep191] |
|
2316
2a2de19413e7
mod_admin_blocklist/README: Turns out autolink.lua doesn't know about official modules
Kim Alvefur <zash@zash.se>
parents:
2315
diff
changeset
|
9 via [mod\_blocklist][doc:modules:mod_blocklist] then no s2s connections |
|
2a2de19413e7
mod_admin_blocklist/README: Turns out autolink.lua doesn't know about official modules
Kim Alvefur <zash@zash.se>
parents:
2315
diff
changeset
|
10 will be allowed to or from that domain. |
|
5017
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
11 |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
12 # Configuring |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
13 |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
14 ## Prosody 0.12 |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
15 |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
16 Starting with Prosody 0.12, the role or roles that determine whether a |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
17 particular users blocklist is used can be configured: |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
18 |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
19 ```lua |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
20 -- This is the default: |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
21 admin_blocklist_roles = { "prosody:operator", "prosody:admin" } |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
22 ``` |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
23 |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
24 ## Prosody 0.11 |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
25 |
|
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
2316
diff
changeset
|
26 In Prosody 0.11 the [`admins`][doc:admins] setting is used. |
