Software /
code /
prosody-modules
File
mod_auth_http_cookie/README.markdown @ 5624:d8622797e315
mod_http_oauth2: Shorten default token validity periods
With refresh tokens, short lifetime for access tokens is not a problem.
The arbitrary choice of one hour seems reasonable. RFC 6749 has it as
example value.
One week for refresh tokens matching the default archive retention
period. This means that a client that remains unused for one week will
have to sign in again. An actively used client will continually push
that forward with each used refresh token.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 24 Jul 2023 01:30:14 +0200 |
parent | 3037:bae7b0a002ef |
line wrap: on
line source
--- labels: - Stage-Alpha ... Introduction ============ This is an experimental authentication module that does an asynchronous HTTP call to verify username and password. This is a (possibly temporary) fork of mod_http_auth_async that adds support for authentication using a cookie and SASL EXTERNAL. Details ======= When a user attempts to authenticate to Prosody, this module takes the username and password and does a HTTP GET request with [Basic authentication][rfc7617] to the configured `http_auth_url`. Configuration ============= ``` lua VirtualHost "example.com" authentication = "http_auth_cookie" http_auth_url = "http://example.com/auth" http_cookie_auth_url = "https://example.com/testcookie.php?user=$user" ``` Cookie Authentication ===================== It is possible to link authentication to an existing web application. This has the benefit that the user logging into the web application in their browser will automatically log them into their XMPP account. There are some prerequisites for this to work: - The BOSH or Websocket requests must include the application's cookie in the headers sent to Prosody. This typically means the web chat code needs to be served from the same domain as the web application. - The web application must have a URL that returns 200 OK when called with a valid cookie, and returns a different status code if the cookie is invalid or not currently logged in. - The XMPP username for the user must be passed to Prosody by the client, or returned in the 200 response from the web application. Set `http_cookie_auth_url` to the web application URL that is used to check the cookie. You may use the variables `$host` for the XMPP host and `$user` for the XMPP username. If the `$user` variable is included in the URL, the client must provide the username via the "authzid" in the SASL EXTERNAL authentication mechanism. If the `$user` variable is *not* included in the URL, Prosody expects the web application's response to be the username instead, as UTF-8 text/plain. Compatibility ============= Requires Prosody trunk