File

mod_cloud_notify: Update Readme diff --git a/mod_cloud_notify/README.md b/mod_cloud_notify/README.md --- a/mod_cloud_notify/README.md +++ b/mod_cloud_notify/README.md @@ -1,109 +1,106 @@ ---- -labels: -- 'Stage-Beta' -summary: 'XEP-0357: Cloud push notifications' ---- +# Introduction -Introduction -============ +This module enables support for sending "push notifications" to clients +that need it, typically those running on certain mobile devices. -This module enables support for sending "push notifications" to clients that -need it, typically those running on certain mobile devices. +As well as this module, your client must support push notifications (the +apps that need it generally do, of course) and the app developer's push +gateway must be reachable from your Prosody server (this happens over a +normal XMPP server-to-server 's2s' connection). -As well as this module, your client must support push notifications (the apps -that need it generally do, of course) and the app developer's push gateway -must be reachable from your Prosody server (this happens over a normal XMPP -server-to-server 's2s' connection). - -Details -======= +# Details Some platforms, notably Apple's iOS and many versions of Android, impose -limits that prevent applications from running or accessing the network in the -background. This makes it difficult or impossible for an XMPP application to -remain reliably connected to a server to receive messages. - -In order for messaging and other apps to receive notifications, the OS vendors -run proprietary servers that their OS maintains a permanent connection to in -the background. Then they provide APIs to application developers that allow -sending notifications to specific devices via those servers. +limits that prevent applications from running or accessing the network +in the background. This makes it difficult or impossible for an XMPP +application to remain reliably connected to a server to receive +messages. -When you connect to your server with an app that requires push notifications, -it will use this module to set up a "push registration". When you receive -a message but your device is not connected to the server, this module will -generate a notification and send it to the push gateway operated by your -application's developers). Their gateway will then connect to your device's -OS vendor and ask them to forward the notification to your device. When your -device receives the notification, it will display it or wake up the app so it -can connect to XMPP and receive any pending messages. +In order for messaging and other apps to receive notifications, the OS +vendors run proprietary servers that their OS maintains a permanent +connection to in the background. Then they provide APIs to application +developers that allow sending notifications to specific devices via +those servers. -This protocol is described for developers in [XEP-0357: Push Notifications]. +When you connect to your server with an app that requires push +notifications, it will use this module to set up a "push registration". +When you receive a message but your device is not connected to the +server, this module will generate a notification and send it to the push +gateway operated by your application's developers). Their gateway will +then connect to your device's OS vendor and ask them to forward the +notification to your device. When your device receives the notification, +it will display it or wake up the app so it can connect to XMPP and +receive any pending messages. -For this module to work reliably, you must have [mod_smacks], [mod_mam] and -[mod_carbons] also enabled on your server. +This protocol is described for developers in \[XEP-0357: Push +Notifications\]. + +For this module to work reliably, you must have \[mod_smacks\], +\[mod_mam\] and \[mod_carbons\] also enabled on your server. -Some clients, notably Siskin and Snikket iOS need some additional extensions -that are not currently defined in a standard XEP. To support these clients, -see [mod_cloud_notify_extensions]. +Some clients, notably Siskin and Snikket iOS need some additional +extensions that are not currently defined in a standard XEP. To support +these clients, see \[mod_cloud_notify_extensions\]. -Configuration -============= +# Configuration - Option Default Description - ------------------------------------ ----------------- ------------------------------------------------------------------------------------------------------------------- - `push_notification_important_body` `New Message!` The body text to use when the stanza is important (see above), no message body is sent if this is empty - `push_max_errors` `16` How much persistent push errors are tolerated before notifications for the identifier in question are disabled - `push_max_devices` `5` The number of allowed devices per user (the oldest devices are automatically removed if this threshold is reached) - `push_max_hibernation_timeout` `259200` (72h) Number of seconds to extend the smacks timeout if no push was triggered yet (default: 72 hours) - `push_notification_with_body` (\*) `false` Whether or not to send the real message body to remote pubsub node. Without end-to-end encryption, enabling this may expose your message contents to your client developers and OS vendor. Not recommended. - `push_notification_with_sender` (\*) `false` Whether or not to send the real message sender to remote pubsub node. Enabling this may expose your contacts to your client developers and OS vendor. Not recommended. + Option Default Description + -------------------------------------- ---------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + `push_notification_important_body` `New Message!` The body text to use when the stanza is important (see above), no message body is sent if this is empty + `push_max_errors` `16` How much persistent push errors are tolerated before notifications for the identifier in question are disabled + `push_max_devices` `5` The number of allowed devices per user (the oldest devices are automatically removed if this threshold is reached) + `push_max_hibernation_timeout` `259200` (72h) Number of seconds to extend the smacks timeout if no push was triggered yet (default: 72 hours) + `push_notification_with_body` (\*) `false` Whether or not to send the real message body to remote pubsub node. Without end-to-end encryption, enabling this may expose your message contents to your client developers and OS vendor. Not recommended. + `push_notification_with_sender` (\*) `false` Whether or not to send the real message sender to remote pubsub node. Enabling this may expose your contacts to your client developers and OS vendor. Not recommended. -(\*) There are privacy implications for enabling these options. +(\*) There are privacy implications for enabling these options.[^1] -Internal design notes -===================== +# Internal design notes -App servers are notified about offline messages, messages stored by [mod_mam] -or messages waiting in the smacks queue. -The business rules outlined [here](//mail.jabber.org/pipermail/standards/2016-February/030925.html) are all honored[^2]. +App servers are notified about offline messages, messages stored by +\[mod_mam\] or messages waiting in the smacks queue. The business rules +outlined +[here](//mail.jabber.org/pipermail/standards/2016-February/030925.html) +are all honored[^2]. -To cooperate with [mod_smacks] this module consumes some events: -`smacks-ack-delayed`, `smacks-hibernation-start` and `smacks-hibernation-end`. -These events allow this module to send out notifications for messages received -while the session is hibernated by [mod_smacks] or even when smacks -acknowledgements for messages are delayed by a certain amount of seconds -configurable with the [mod_smacks] setting `smacks_max_ack_delay`. +To cooperate with \[mod_smacks\] this module consumes some events: +`smacks-ack-delayed`, `smacks-hibernation-start` and +`smacks-hibernation-end`. These events allow this module to send out +notifications for messages received while the session is hibernated by +\[mod_smacks\] or even when smacks acknowledgements for messages are +delayed by a certain amount of seconds configurable with the +\[mod_smacks\] setting `smacks_max_ack_delay`. -The `smacks_max_ack_delay` setting allows to send out notifications to clients -which aren't already in smacks hibernation state (because the read timeout or -connection close didn't already happen) but also aren't responding to acknowledgement -request in a timely manner. This setting thus allows conversations to be smoother -under such circumstances. +The `smacks_max_ack_delay` setting allows to send out notifications to +clients which aren't already in smacks hibernation state (because the +read timeout or connection close didn't already happen) but also aren't +responding to acknowledgement request in a timely manner. This setting +thus allows conversations to be smoother under such circumstances. -The new event `cloud-notify-ping` can be used by any module to send out a cloud -notification to either all registered endpoints for the given user or only the endpoints -given in the event data. +The new event `cloud-notify-ping` can be used by any module to send out +a cloud notification to either all registered endpoints for the given +user or only the endpoints given in the event data. -The config setting `push_notification_important_body` can be used to specify an alternative -body text to send to the remote pubsub node if the stanza is encrypted or has a body. -This way the real contents of the message aren't revealed to the push appserver but it -can still see that the push is important. -This is used by Chatsecure on iOS to send out high priority pushes in those cases for example. +The config setting `push_notification_important_body` can be used to +specify an alternative body text to send to the remote pubsub node if +the stanza is encrypted or has a body. This way the real contents of the +message aren't revealed to the push appserver but it can still see that +the push is important. This is used by Chatsecure on iOS to send out +high priority pushes in those cases for example. -Compatibility -============= - -**Note:** This module should be used with Lua 5.2 and higher. Using it with -Lua 5.1 may cause push notifications to not be sent to some clients. +# Compatibility ------- ----------------------------------------------------------------------------- - trunk Works - 0.12 Works - 0.11 Works - 0.10 Works - 0.9 Support dropped, use last supported version [675726ab06d3](//hg.prosody.im/prosody-modules/raw-file/675726ab06d3/mod_cloud_notify/mod_cloud_notify.lua) ------- ----------------------------------------------------------------------------- +**Note:** This module should be used with Lua 5.2 and higher. Using it +with Lua 5.1 may cause push notifications to not be sent to some +clients. + ------- ----------------------------------------------------------------- + trunk Works as of 25-06-13 + 13 Works + 0.12 Works + ------- ----------------------------------------------------------------- -[^1]: The service which is expected to forward notifications to something like Google Cloud Messaging or Apple Notification Service -[^2]: [business_rules.markdown](//hg.prosody.im/prosody-modules/file/tip/mod_cloud_notify/business_rules.markdown) +[^1]: The service which is expected to forward notifications to + something like Google Cloud Messaging or Apple Notification Service + +[^2]: [business_rules.md](//hg.prosody.im/prosody-modules/file/tip/mod_cloud_notify/business_rules.md)

---
labels:
- Stage-Alpha
rockspec:
  build:
    copy_directories:
    - html
summary: OAuth 2.0 Authorization Server API
---

## Introduction

This module implements an [OAuth2](https://oauth.net/2/)/[OpenID Connect
(OIDC)](https://openid.net/connect/) Authorization Server on top of
Prosody's usual internal authentication backend.

OAuth and OIDC are web standards that allow you to provide clients and
third-party applications limited access to your account, without sharing your
password with them.

With this module deployed, software that supports OAuth can obtain
"access tokens" from Prosody which can then be used to connect to XMPP
accounts using the [OAUTHBEARER SASL mechanism][rfc7628] or via non-XMPP
interfaces such as [mod_rest].

Although this module has been around for some time, it has recently been
significantly extended and largely rewritten to support OAuth/OIDC more fully.

As of April 2023, it should be considered **alpha** stage. It works, we have
tested it, but it has not yet seen wider review, testing and deployment. At
this stage we recommend it for experimental and test deployments only. For
specific information, see the [deployment notes section](#deployment-notes)
below.

Known client implementations:

-   [example shell script for mod_rest](https://hg.prosody.im/prosody-modules/file/tip/mod_rest/example/rest.sh)
-   *(we need you!)*

Support for [OAUTHBEARER][rfc7628] has been added to the Lua XMPP
library, [verse](https://code.matthewwild.co.uk/verse).  If you know of
additional implementations, or are motivated to work on one, please let
us know! We'd be happy to help (e.g. by providing a test server).

## Standards support

Notable supported standards:

- [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749)
- [RFC 7009: OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009)
- [RFC 7591: OAuth 2.0 Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591.html)
- [RFC 7628: A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth](https://www.rfc-editor.org/rfc/rfc7628)
- [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/rfc/rfc7636)
- [RFC 7662: OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662)
- [RFC 8628: OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628)
- [RFC 9207: OAuth 2.0 Authorization Server Issuer Identification](https://www.rfc-editor.org/rfc/rfc9207.html)
- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)
- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) (_partial, e.g. missing JWKS_)
- [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)

## Configuration

### Interface

The module presents a web page to users to allow them to authenticate when
a client requests access. Built-in pages are provided, but you may also theme
or entirely override them.

This module honours the `site_name` configuration option that is also used by
a number of other modules:

```lua
site_name = "My XMPP Server"
```

To provide custom templates, specify the path to the template directory:

```lua
oauth2_template_path = "/etc/prosody/custom-oauth2-templates"
```

If you know what features your templates use use you can adjust the
`Content-Security-Policy` header to only allow what is needed:

```lua
oauth2_security_policy = "default-src 'self'" -- this is the default
```

For the Resource Owner Password Grant the `username` is expected to be the only
localpart by default.  If the OAuth client includes the domainpart in the
`username` it submits (e.g. user@example.org instead of just user), set this to
`true`. Note that this requires all clients to follow this format.

```lua
oauth2_expect_username_jid = false
```

### Token parameters

The following options configure the lifetime of tokens issued by the module.
The defaults are recommended.

```lua
oauth2_access_token_ttl = 3600 -- one hour
oauth2_refresh_token_ttl = 604800 -- one week
```

### Dynamic client registration

To allow users to connect any compatible software, you should enable dynamic
client registration.

Dynamic client registration can be enabled by configuring a JWT key. Algorithm
defaults to *HS256*, lifetime defaults to forever.

```lua
oauth2_registration_key = "securely generated JWT key here"
oauth2_registration_algorithm = "HS256"
oauth2_registration_ttl = nil -- unlimited by default
```

Registering a client is described in
[RFC7591](https://www.rfc-editor.org/rfc/rfc7591.html).

In addition to the requirements in the RFC, the following requirements
are enforced:

`client_name`
:   **MUST** be present, is shown to users in consent screen.

`client_uri`
:   **MUST** be present and **MUST** be a `https://` URL.

`redirect_uris`

:   **MUST** contain at least one valid URI. Different rules apply
    depending on the value of `application_type`, see below.

`application_type`

:   Optional, defaults to `web`. Determines further restrictions for
    `redirect_uris`. The following values are supported:

    `web` *(default)*
    :   For web clients. With this, `redirect_uris` **MUST** be
        `https://` URIs and **MUST** use the same hostname part as the
        `client_uri`.

    `native`
    :   For native e.g. desktop clients etc. `redirect_uris` **MUST**
        match one of:

        -   Loopback HTTP URI, e.g. `http://127.0.0.1/` or
            `http://[::1]`
        -   Application-specific scheme, e.g. `com.example.app:/`
        -   The special OOB URI `urn:ietf:wg:oauth:2.0:oob`

`tos_uri`, `policy_uri`
:   Informative URLs pointing to Terms of Service and Service Policy
    document **MUST** use the same scheme (i.e. `https://`) and hostname
    as the `client_uri`.

#### Registration Examples

In short registration works by POST-ing a JSON structure describing your
client to an endpoint:

``` bash
curl -sSf https://xmpp.example.net/oauth2/register \
    -H Content-Type:application/json \
    -H Accept:application/json \
    --data '
{
   "client_name" : "My Application",
   "client_uri" : "https://app.example.com/",
   "redirect_uris" : [
      "https://app.example.com/redirect"
   ]
}
'
```

Another example with more fields:

``` bash
curl -sSf https://xmpp.example.net/oauth2/register \
    -H Content-Type:application/json \
    -H Accept:application/json \
    --data '
{
   "application_type" : "native",
   "client_name" : "Desktop Chat App",
   "client_uri" : "https://app.example.org/",
   "contacts" : [
      "support@example.org"
   ],
   "policy_uri" : "https://app.example.org/about/privacy",
   "redirect_uris" : [
      "http://localhost:8080/redirect",
      "org.example.app:/redirect"
   ],
   "scope" : "xmpp",
   "software_id" : "32a0a8f3-4016-5478-905a-c373156eca73",
   "software_version" : "3.4.1",
   "tos_uri" : "https://app.example.org/about/terms"
}
'
```

### Supported flows

-   Authorization Code grant, optionally with Proof Key for Code Exchange
-   Device Authorization Grant
-   Resource owner password grant *(disabled by default)*
-   Implicit flow *(disabled by default)*
-   Refresh Token grants

Various flows can be disabled and enabled with
`allowed_oauth2_grant_types` and `allowed_oauth2_response_types`:

```lua
-- These examples reflect the defaults
allowed_oauth2_grant_types = {
	"authorization_code"; -- authorization code grant
	"device_code";
	-- "password"; -- resource owner password grant disabled by default
}

allowed_oauth2_response_types = {
	"code"; -- authorization code flow
    -- "token"; -- implicit flow disabled by default
}
```

The [Proof Key for Code Exchange][RFC 7636] mitigation method is
required by default but can be made optional:

```lua
oauth2_require_code_challenge = false -- default is true
```

Further, individual challenge methods can be enabled or disabled:

```lua
-- These reflects the default
allowed_oauth2_code_challenge_methods = {
    -- "plain"; -- insecure but backwards-compatible
    "S256";
}
```

### Policy documents

Links to Terms of Service and Service Policy documents can be advertised
for use by OAuth clients:

```lua
oauth2_terms_url = "https://example.com/terms-of-service.html"
oauth2_policy_url = "https://example.com/service-policy.pdf"
-- These are unset by default
```

## Deployment notes

### Access management

This module does not provide an interface for users to manage what they have
granted access to their account! (e.g. to view and revoke clients they have
previously authorized). It is recommended to join this module with
[mod_client_management] to provide such access. However, at the time of writing,
no XMPP clients currently support the protocol used by that module. We plan to
work on additional interfaces in the future.

### Scopes

OAuth supports "scopes" as a way to grant clients limited access.

There are currently no standard scopes defined for XMPP. This is
something that we intend to change, e.g. by definitions provided in a
future XEP. This means that clients you authorize currently have to
choose between unrestricted access to your account (including the
ability to change your password and lock you out!) and zero access. So,
for now, while using OAuth clients can prevent leaking your password to
them, it is not currently suitable for connecting untrusted clients to
your account.

As a first step, the `xmpp` scope is supported, and corresponds to
whatever permissions the user would have when logged in over XMPP.

Further, known Prosody roles can be used as scopes.

OpenID scopes such as `openid` and `profile` can be used for "Login
with XMPP" without granting access to more than limited profile details.

## Compatibility

Requires Prosody trunk (April 2023), **not** compatible with Prosody 0.12 or
earlier.