Software / code / prosody-modules
Changeset
6291:7cf1fcac9b94
mod_http_oauth2: Reorder metadata by source
Following the order in which field are described in each specification.
Also fills in `nil` fields that are defined but not used in this module.
Tweaks some values to reflect current behavior.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 07 Jun 2025 22:02:18 +0200 |
| parents | 6290:5955ec5c173e |
| children | 6292:28fd42866be9 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 16 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 06 20:01:13 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Jun 07 22:02:18 2025 +0200 @@ -1689,28 +1689,35 @@ issuer = get_issuer(); authorization_endpoint = handle_authorization_request and module:http_url() .. "/authorize" or nil; token_endpoint = handle_token_grant and module:http_url() .. "/token" or nil; + jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata registration_endpoint = handle_register_request and module:http_url() .. "/register" or nil; scopes_supported = usermanager.get_all_roles and array(it.keys(usermanager.get_all_roles(module.host))):push("xmpp"):append(array(openid_claims:items())); response_types_supported = array(it.keys(response_type_handlers)); - token_endpoint_auth_methods_supported = array({ "client_secret_post"; "client_secret_basic" }); + response_modes_supported = array(it.keys(response_type_handlers)):map(tmap { token = "fragment"; code = "query" }); + grant_types_supported = array(it.keys(grant_type_handlers)); + token_endpoint_auth_methods_supported = array({ "client_secret_basic"; "client_secret_post"; "none" }); + token_endpoint_auth_signing_alg_values_supported = nil; + service_documentation = module:get_option_string("oauth2_service_documentation", "https://modules.prosody.im/mod_http_oauth2.html"); + ui_locales_supported = allowed_locales[1] and allowed_locales; op_policy_uri = module:get_option_string("oauth2_policy_url", nil); op_tos_uri = module:get_option_string("oauth2_terms_url", nil); revocation_endpoint = handle_revocation_request and module:http_url() .. "/revoke" or nil; - revocation_endpoint_auth_methods_supported = array({ "client_secret_basic" }); - device_authorization_endpoint = handle_device_authorization_request and module:http_url() .. "/device"; + revocation_endpoint_auth_methods_supported = array({ "client_secret_basic"; "client_secret_post"; "none" }); + revocation_endpoint_auth_signing_alg_values_supported = nil; introspection_endpoint = handle_introspection_request and module:http_url() .. "/introspect"; introspection_endpoint_auth_methods_supported = nil; + introspection_endpoint_auth_signing_alg_values_supported = nil; code_challenge_methods_supported = array(it.keys(verifier_transforms)); - grant_types_supported = array(it.keys(grant_type_handlers)); - response_modes_supported = array(it.keys(response_type_handlers)):map(tmap { token = "fragment"; code = "query" }); + + -- RFC 8628: OAuth 2.0 Device Authorization Grant + device_authorization_endpoint = handle_device_authorization_request and module:http_url() .. "/device"; + + -- RFC 9207: OAuth 2.0 Authorization Server Issuer Identification authorization_response_iss_parameter_supported = true; - service_documentation = module:get_option_string("oauth2_service_documentation", "https://modules.prosody.im/mod_http_oauth2.html"); - ui_locales_supported = allowed_locales[1] and allowed_locales; - -- OpenID + -- OpenID Connect Discovery 1.0 userinfo_endpoint = handle_userinfo_request and module:http_url() .. "/userinfo" or nil; - jwks_uri = nil; -- REQUIRED in OpenID Discovery but not in OAuth 2.0 Metadata id_token_signing_alg_values_supported = { "HS256" }; -- The algorithm RS256 MUST be included, but we use HS256 and client_secret as shared key. } return authorization_server_metadata;
