Software /
code /
prosody-modules
Changeset
5465:66e13e79928b
mod_http_oauth2: Note about partial OpenID Discovery implementation
Notably we don't have an JSON Web Key Set, since we use the client
secret in the HS256 algorithm.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 17 May 2023 17:56:56 +0200 (19 months ago) |
parents | 5464:2a11f590c5c8 |
children | 5466:398d936e77fb |
files | mod_http_oauth2/README.markdown mod_http_oauth2/mod_http_oauth2.lua |
diffstat | 2 files changed, 3 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown Wed May 17 17:38:18 2023 +0200 +++ b/mod_http_oauth2/README.markdown Wed May 17 17:56:56 2023 +0200 @@ -50,7 +50,7 @@ - [RFC 7628: A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth](https://www.rfc-editor.org/rfc/rfc7628) - [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/rfc/rfc7636) - [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) -- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) +- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) (_partial, e.g. missing JWKS_) - [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) ## Configuration
--- a/mod_http_oauth2/mod_http_oauth2.lua Wed May 17 17:38:18 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Wed May 17 17:56:56 2023 +0200 @@ -1074,7 +1074,6 @@ issuer = get_issuer(); authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; - jwks_uri = nil; -- TODO? registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):append(array(openid_claims:items())); response_types_supported = array(it.keys(response_type_handlers)); @@ -1091,7 +1090,8 @@ -- OpenID userinfo_endpoint = handle_register_request and module:http_url() .. "/userinfo" or nil; - id_token_signing_alg_values_supported = { "HS256" }; + jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata + id_token_signing_alg_values_supported = { "HS256" }; -- The algorithm RS256 MUST be included, but we use HS256 and client_secret as shared key. }; }; };