prosody-modules
527c747711f3
mod_tcpproxy/web/demo.html
Software / code / prosody-modules
File
mod_tcpproxy/web/demo.html @ 5705:527c747711f3
mod_http_oauth2: Limit revocation to clients own tokens in strict mode
RFC 7009 section 2.1 states:
> The authorization server first validates the client credentials (in
> case of a confidential client) and then verifies whether the token was
> issued to the client making the revocation request. If this
> validation fails, the request is refused and the client is informed of
> the error by the authorization server as described below.
The first part was already covered (in strict mode). This adds the later
part using the hash of client_id recorded in 0860497152af
It still seems weird to me that revoking a leaked token should not be
allowed whoever might have discovered it, as that seems the responsible
thing to do.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 29 Oct 2023 11:30:49 +0100 |
| parent | 1343:7dbde05b48a9 |
line wrap: on
line source
<html> <head> <script type="text/javascript" src="xmpp.io.js"></script> <script type="text/javascript" src="strophe.js"></script> <script type="text/javascript" src="src/jquery-1.4.2.min.js"></script> <script type="text/javascript"> function handle_connection_status(status, err) { console.log("XMPP status: "+Strophe.Status.CONNECTED); if(status == Strophe.Status.CONNECTED) { var conn = new XMPPIO(xmppconn, "tcp.localhost"); conn.addListener("connect", function () { var req = "GET / HTTP/1.0\r\nHost: example.com\r\n\r\n"; console.log("Sending request: "+req); conn.write(req); }); conn.addListener("data", function (data) { $("<div/>").text(data).appendTo("body"); }); console.log("Connecting to example.com:80..."); conn.connect("example.com", 80); } } var xmppconn = new Strophe.Connection("/http-bind"); xmppconn.connect("anon.localhost", null, handle_connection_status, 50); </script> </head> <body> </body> </html>
