Software /
code /
prosody-modules
Comparison
mod_auth_oauth_external/README.md @ 5345:3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Might not be supported by the backend but PLAIN is the lowest common
denominator, so not having it would lock out a lot of clients.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 16 Mar 2023 12:45:52 +0100 |
parent | 5344:0a6d2b79a8bf |
child | 5346:d9bc8712a745 |
comparison
equal
deleted
inserted
replaced
5344:0a6d2b79a8bf | 5345:3390bb2f9f6c |
---|---|
5 --- | 5 --- |
6 | 6 |
7 This module provides external authentication via an external [AOuth | 7 This module provides external authentication via an external [AOuth |
8 2](https://datatracker.ietf.org/doc/html/rfc7628) authorization server | 8 2](https://datatracker.ietf.org/doc/html/rfc7628) authorization server |
9 and supports the [SASL OAUTHBEARER authentication][rfc7628] | 9 and supports the [SASL OAUTHBEARER authentication][rfc7628] |
10 mechanism. | 10 mechanism as well as PLAIN for legacy clients (this is all of them). |
11 | 11 |
12 # How it works | 12 # How it works |
13 | 13 |
14 Clients retrieve tokens somehow, then show them to Prosody, which asks | 14 Clients retrieve tokens somehow, then show them to Prosody, which asks |
15 the Authorization server to validate them, returning info about the user | 15 the Authorization server to validate them, returning info about the user |
16 back to Prosody. | 16 back to Prosody. |
17 | |
18 Alternatively for legacy clients, Prosody receives the users username | |
19 and password and retrieves a token itself, then proceeds as above. | |
17 | 20 |
18 # Configuration | 21 # Configuration |
19 | 22 |
20 `oauth_external_discovery_url` | 23 `oauth_external_discovery_url` |
21 : Optional URL string pointing to [OAuth 2.0 Authorization Server | 24 : Optional URL string pointing to [OAuth 2.0 Authorization Server |
33 `oauth_external_username_field` | 36 `oauth_external_username_field` |
34 : String. Default is `"preferred_username"`. Field in the JSON | 37 : String. Default is `"preferred_username"`. Field in the JSON |
35 structure returned by the validation endpoint that contains the XMPP | 38 structure returned by the validation endpoint that contains the XMPP |
36 localpart. | 39 localpart. |
37 | 40 |
41 ## For SASL PLAIN | |
42 | |
43 `oauth_external_resource_owner_password` | |
44 : Boolean. Defaults to `true`. Whether to allow the *insecure* | |
45 resource owner password grant and SASL PLAIN. | |
46 | |
47 `oauth_external_token_endpoint` | |
48 : URL string. OAuth 2 [Token | |
49 Endpoint](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) used | |
50 to retrieve token in order to then retrieve the username. | |
51 | |
52 `oauth_external_client_id` | |
53 : String. Client ID used to identify Prosody during the resource owner | |
54 password grant. | |
55 | |
38 # Compatibility | 56 # Compatibility |
39 | 57 |
40 Version Status | 58 Version Status |
41 --------- --------------- | 59 --------- --------------- |
42 trunk works | 60 trunk works |