Comparison

mod_http_oauth2/README.markdown @ 5882:761142ee0ff2

mod_http_oauth2: Reflect changes to defaults etc - Resource owner password grant was disabled by default - Tokens now include a hash of client_id making it possible to be reasonable sure that they were issued to a particular client
author Kim Alvefur <zash@zash.se>
date Tue, 05 Mar 2024 00:32:00 +0100
parent 5739:426c42c11f89
comparison
equal deleted inserted replaced
5881:ff90dad75352 5882:761142ee0ff2
100 100
101 To allow users to connect any compatible software, you should enable dynamic 101 To allow users to connect any compatible software, you should enable dynamic
102 client registration. 102 client registration.
103 103
104 Dynamic client registration can be enabled by configuring a JWT key. Algorithm 104 Dynamic client registration can be enabled by configuring a JWT key. Algorithm
105 defaults to *HS256* lifetime defaults to forever. 105 defaults to *HS256*, lifetime defaults to forever.
106 106
107 ```lua 107 ```lua
108 oauth2_registration_key = "securely generated JWT key here" 108 oauth2_registration_key = "securely generated JWT key here"
109 oauth2_registration_algorithm = "HS256" 109 oauth2_registration_algorithm = "HS256"
110 oauth2_registration_ttl = nil -- unlimited by default 110 oauth2_registration_ttl = nil -- unlimited by default
200 200
201 ### Supported flows 201 ### Supported flows
202 202
203 - Authorization Code grant, optionally with Proof Key for Code Exchange 203 - Authorization Code grant, optionally with Proof Key for Code Exchange
204 - Device Authorization Grant 204 - Device Authorization Grant
205 - Resource owner password grant *(likely to be phased out in the future)* 205 - Resource owner password grant *(disabled by default)*
206 - Implicit flow *(disabled by default)* 206 - Implicit flow *(disabled by default)*
207 - Refresh Token grants 207 - Refresh Token grants
208 208
209 Various flows can be disabled and enabled with 209 Various flows can be disabled and enabled with
210 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`: 210 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`:
212 ```lua 212 ```lua
213 -- These examples reflect the defaults 213 -- These examples reflect the defaults
214 allowed_oauth2_grant_types = { 214 allowed_oauth2_grant_types = {
215 "authorization_code"; -- authorization code grant 215 "authorization_code"; -- authorization code grant
216 "device_code"; 216 "device_code";
217 "password"; -- resource owner password grant 217 -- "password"; -- resource owner password grant disabled by default
218 } 218 }
219 219
220 allowed_oauth2_response_types = { 220 allowed_oauth2_response_types = {
221 "code"; -- authorization code flow 221 "code"; -- authorization code flow
222 -- "token"; -- implicit flow disabled by default 222 -- "token"; -- implicit flow disabled by default