# HG changeset patch # User Kim Alvefur # Date 1749326538 -7200 # Node ID 7cf1fcac9b94a49ff5c66a2d1de12322ba07001f # Parent 5955ec5c173e4168a1a0953b72e4d4baf2bae9df mod_http_oauth2: Reorder metadata by source Following the order in which field are described in each specification. Also fills in `nil` fields that are defined but not used in this module. Tweaks some values to reflect current behavior. diff -r 5955ec5c173e -r 7cf1fcac9b94 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 06 20:01:13 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Jun 07 22:02:18 2025 +0200 @@ -1689,28 +1689,35 @@ issuer = get_issuer(); authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; + jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items())); response_types_supported = array(it.keys(response_type_handlers)); - token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" }); + response_modes_supported = array(it.keys(response_type_handlers)):map(tmap { token = "fragment"; code = "query" }); + grant_types_supported = array(it.keys(grant_type_handlers)); + token_endpoint_auth_methods_supported = array({ "client_secret_basic"; "client_secret_post"; "none" }); + token_endpoint_auth_signing_alg_values_supported = nil; + service_documentation = module:get_option_string("oauth2_service_documentation", "https://modules.prosody.im/mod_http_oauth2.html"); + ui_locales_supported = allowed_locales[1] and allowed_locales; op_policy_uri = module:get_option_string("oauth2_policy_url", nil); op_tos_uri = module:get_option_string("oauth2_terms_url", nil); revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil; - revocation_endpoint_auth_methods_supported = array({ "client_secret_basic" }); - device_authorization_endpoint = handle_device_authorization_request and module:http_url() .. "/device"; + revocation_endpoint_auth_methods_supported = array({ "client_secret_basic"; "client_secret_post"; "none" }); + revocation_endpoint_auth_signing_alg_values_supported = nil; introspection_endpoint = handle_introspection_request and module:http_url() .. "/introspect"; introspection_endpoint_auth_methods_supported = nil; + introspection_endpoint_auth_signing_alg_values_supported = nil; code_challenge_methods_supported = array(it.keys(verifier_transforms)); - grant_types_supported = array(it.keys(grant_type_handlers)); - response_modes_supported = array(it.keys(response_type_handlers)):map(tmap { token = "fragment"; code = "query" }); + + -- RFC 8628: OAuth 2.0 Device Authorization Grant + device_authorization_endpoint = handle_device_authorization_request and module:http_url() .. "/device"; + + -- RFC 9207: OAuth 2.0 Authorization Server Issuer Identification authorization_response_iss_parameter_supported = true; - service_documentation = module:get_option_string("oauth2_service_documentation", "https://modules.prosody.im/mod_http_oauth2.html"); - ui_locales_supported = allowed_locales[1] and allowed_locales; - -- OpenID + -- OpenID Connect Discovery 1.0 userinfo_endpoint = handle_userinfo_request and module:http_url() .. "/userinfo" or nil; - jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata id_token_signing_alg_values_supported = { "HS256" }; -- The algorithm RS256 MUST be included, but we use HS256 and client_secret as shared key. } return authorization_server_metadata;