prosody-modules
2bb29ece216b
mod_auth_custom_http/README.markdown

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_auth_custom_http/README.markdown @ 5193:2bb29ece216b

mod_http_oauth2: Implement stateless dynamic client registration Replaces previous explicit registration that required either the additional module mod_adhoc_oauth2_client or manually editing the database. That method was enough to have something to test with, but would not probably not scale easily. Dynamic client registration allows creating clients on the fly, which may be even easier in theory. In order to not allow basically unauthenticated writes to the database, we implement a stateless model here. per_host_key := HMAC(config -> oauth2_registration_key, hostname) client_id := JWT { client metadata } signed with per_host_key client_secret := HMAC(per_host_key, client_id) This should ensure everything we need to know is part of the client_id, allowing redirects etc to be validated, and the client_secret can be validated with only the client_id and the per_host_key. A nonce injected into the client_id JWT should ensure nobody can submit the same client metadata and retrieve the same client_secret
author Kim Alvefur <zash@zash.se>
date Fri, 03 Mar 2023 21:14:19 +0100
parent 2868:f90cf59bee8e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1934
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 ---
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 summary: HTTP Authentication using custom JSON protocol
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 ...
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 Introduction
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 ============
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 To authenticate users, this module does a `POST` request to a configured
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 URL with a JSON payload. It is not async so requests block the server
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 until answered.
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 Configuration
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 =============
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 ``` lua
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 VirtualHost "example.com"
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 authentication = "custom_http"
2868
f90cf59bee8e mod_auth_custom_http: fix documentation config example
Senya <senya@kinetiksoft.com>
parents: 1934
diff changeset
18 auth_custom_http = {
f90cf59bee8e mod_auth_custom_http: fix documentation config example
Senya <senya@kinetiksoft.com>
parents: 1934
diff changeset
19 post_url = "http://api.example.com/auth";
f90cf59bee8e mod_auth_custom_http: fix documentation config example
Senya <senya@kinetiksoft.com>
parents: 1934
diff changeset
20 }
1934
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 ```
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 Protocol
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 ========
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 The JSON payload consists of an object with `username` and `password`
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 members:
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 {"username":"john","password":"secr1t"}
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 The module expects the response body to be exactly `true` if the
6c569c481ffa mod_auth_custom_http: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 username and password are correct.