Software /
code /
prosody-modules
Diff
mod_http_oauth2/README.markdown @ 5467:1c78a97a1091
mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role
This will be the first step towards defining a standard set of XMPP
scopes. "xmpp" behaves as an alias for the user's default role, so that
the client does not need to know about the various prosody:* roles.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 17 May 2023 19:40:27 +0200 |
parent | 5465:66e13e79928b |
child | 5493:cae3bb3dd45f |
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown Wed May 17 18:49:22 2023 +0200 +++ b/mod_http_oauth2/README.markdown Wed May 17 19:40:27 2023 +0200 @@ -165,12 +165,22 @@ OAuth supports "scopes" as a way to grant clients limited access. -There are currently no standard scopes defined for XMPP. This is something -that we intend to change, e.g. by definitions provided in a future XEP. This -means that clients you authorize currently have unrestricted access to your -account (including the ability to change your password and lock you out!). So, -for now, while using OAuth clients can prevent leaking your password to them, -it is not currently suitable for connecting untrusted clients to your account. +There are currently no standard scopes defined for XMPP. This is +something that we intend to change, e.g. by definitions provided in a +future XEP. This means that clients you authorize currently have to +choose between unrestricted access to your account (including the +ability to change your password and lock you out!) and zero access. So, +for now, while using OAuth clients can prevent leaking your password to +them, it is not currently suitable for connecting untrusted clients to +your account. + +As a first step, the `xmpp` scope is supported, and corresponds to +whatever permissions the user would have when logged in over XMPP. + +Further, known Prosody roles can be used as scopes. + +OpenID scopes such as `openid` and `profile` can be used for "Login +with XMPP" without granting access to more than limited profile details. ## Compatibility