mod_http_oauth2: Make defaults more secure This should be fine since we don't have a lot of clients to be backwards-compatible with.

author: Kim Alvefur <zash@zash.se>
date: Tue, 14 Nov 2023 23:19:19 +0100
parent: 5703:b43c989fb69c
child: 5882:761142ee0ff2
--- a/mod_http_oauth2/README.markdown	Tue Nov 14 23:03:37 2023 +0100
+++ b/mod_http_oauth2/README.markdown	Tue Nov 14 23:19:19 2023 +0100
@@ -224,10 +224,10 @@
 ```
 
 The [Proof Key for Code Exchange][RFC 7636] mitigation method is
-optional by default but can be made required:
+required by default but can be made optional:
 
 ```lua
-oauth2_require_code_challenge = true -- default is false
+oauth2_require_code_challenge = false -- default is true
 ```
 
 Further, individual challenge methods can be enabled or disabled:
@@ -235,7 +235,7 @@
 ```lua
 -- These reflects the default
 allowed_oauth2_code_challenge_methods = {
-    "plain"; -- the insecure one
+    -- "plain"; -- insecure but backwards-compatible
     "S256";
 }
 ```