Changeset

5882:761142ee0ff2

mod_http_oauth2: Reflect changes to defaults etc - Resource owner password grant was disabled by default - Tokens now include a hash of client_id making it possible to be reasonable sure that they were issued to a particular client
author Kim Alvefur <zash@zash.se>
date Tue, 05 Mar 2024 00:32:00 +0100
parents 5881:ff90dad75352
children 5883:259ffdbf8906
files mod_http_oauth2/README.markdown mod_http_oauth2/mod_http_oauth2.lua
diffstat 2 files changed, 4 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown	Sun Mar 03 18:06:47 2024 +0000
+++ b/mod_http_oauth2/README.markdown	Tue Mar 05 00:32:00 2024 +0100
@@ -102,7 +102,7 @@
 client registration.
 
 Dynamic client registration can be enabled by configuring a JWT key. Algorithm
-defaults to *HS256* lifetime defaults to forever.
+defaults to *HS256*, lifetime defaults to forever.
 
 ```lua
 oauth2_registration_key = "securely generated JWT key here"
@@ -202,7 +202,7 @@
 
 -   Authorization Code grant, optionally with Proof Key for Code Exchange
 -   Device Authorization Grant
--   Resource owner password grant *(likely to be phased out in the future)*
+-   Resource owner password grant *(disabled by default)*
 -   Implicit flow *(disabled by default)*
 -   Refresh Token grants
 
@@ -214,7 +214,7 @@
 allowed_oauth2_grant_types = {
 	"authorization_code"; -- authorization code grant
 	"device_code";
-	"password"; -- resource owner password grant
+	-- "password"; -- resource owner password grant disabled by default
 }
 
 allowed_oauth2_response_types = {
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Mar 03 18:06:47 2024 +0000
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 05 00:32:00 2024 +0100
@@ -1128,7 +1128,7 @@
 		headers = { content_type = "application/json" };
 		body = json.encode {
 			active = true;
-			client_id = credentials.username; -- We don't really know for sure
+			client_id = credentials.username; -- Verified via client hash
 			username = jid.node(token_info.jid);
 			scope = token_info.grant.data.oauth2_scopes;
 			token_type = purpose_map[token_info.purpose];