https://soft.trung.fun/code/prosody-modules/ en-us mod_http_oauth2/README.markdown revision history https://soft.trung.fun/code/prosody-modules/log/761142ee0ff2/mod_http_oauth2/README.markdown
- Resource owner password grant was disabled by default
- Tokens now include a hash of client_id making it possible to be
reasonable sure that they were issued to a particular client]]> Kim Alvefur <zash@zash.se> Tue, 05 Mar 2024 00:32:00 +0100 https://soft.trung.fun/code/prosody-modules/log/426c42c11f89/mod_http_oauth2/README.markdown
This should be fine since we don't have a lot of clients to be
backwards-compatible with.]]> Kim Alvefur <zash@zash.se> Tue, 14 Nov 2023 23:19:19 +0100 https://soft.trung.fun/code/prosody-modules/log/b43c989fb69c/mod_http_oauth2/README.markdown
"Tell me about this token"]]> Kim Alvefur <zash@zash.se> Thu, 25 May 2023 09:31:21 +0200 https://soft.trung.fun/code/prosody-modules/log/23f336cec200/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Sat, 09 Sep 2023 22:51:25 +0200 https://soft.trung.fun/code/prosody-modules/log/7c105277a9ca/mod_http_oauth2/README.markdown
Because util.interpolation with a "%b{}" pattern only matches the outer
brackets, so variables inside them would not work unless the pattern is
changed (also considered).]]> Kim Alvefur <zash@zash.se> Sun, 27 Aug 2023 09:49:35 +0200 https://soft.trung.fun/code/prosody-modules/log/f3b7e05c74a9/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Thu, 17 Aug 2023 08:34:17 +0200 https://soft.trung.fun/code/prosody-modules/log/d8622797e315/mod_http_oauth2/README.markdown
With refresh tokens, short lifetime for access tokens is not a problem.
The arbitrary choice of one hour seems reasonable. RFC 6749 has it as
example value.

One week for refresh tokens matching the default archive retention
period. This means that a client that remains unused for one week will
have to sign in again. An actively used client will continually push
that forward with each used refresh token.]]> Kim Alvefur <zash@zash.se> Mon, 24 Jul 2023 01:30:14 +0200 https://soft.trung.fun/code/prosody-modules/log/308b5b117379/mod_http_oauth2/README.markdown
It is strongly discouraged by all the modern OAuth 2.0 (and 2.1) documents.]]> Kim Alvefur <zash@zash.se> Fri, 21 Jul 2023 00:38:04 +0200 https://soft.trung.fun/code/prosody-modules/log/7565298aa197/mod_http_oauth2/README.markdown
Long URI is long]]> Kim Alvefur <zash@zash.se> Fri, 21 Jul 2023 00:37:34 +0200 https://soft.trung.fun/code/prosody-modules/log/a9682cad0e67/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Fri, 21 Jul 2023 00:29:24 +0200 https://soft.trung.fun/code/prosody-modules/log/7040d0772758/mod_http_oauth2/README.markdown
Meant for devices without easy access to a web browser, such as
refrigerators and toasters, which definitely need to be running
OAuth-enabled XMPP clients!

Could be used for CLI tools that might have trouble running a http
server needed for the authorization code flow.]]> Kim Alvefur <zash@zash.se> Mon, 10 Jul 2023 07:16:54 +0200 https://soft.trung.fun/code/prosody-modules/log/59acf7f540c1/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Fri, 07 Jul 2023 19:45:48 +0200 https://soft.trung.fun/code/prosody-modules/log/734788d8bfc3/mod_http_oauth2/README.markdown
So that they're in one place only instead of sorta twice.]]> Kim Alvefur <zash@zash.se> Thu, 22 Jun 2023 21:59:49 +0200 https://soft.trung.fun/code/prosody-modules/log/d6ab6f0bd96e/mod_http_oauth2/README.markdown
More fields from RFC 7591. We should probably mention and recommend more
of them, especially the ones that are recorded in grants.]]> Kim Alvefur <zash@zash.se> Thu, 22 Jun 2023 09:18:32 +0200 https://soft.trung.fun/code/prosody-modules/log/d4a2997deae9/mod_http_oauth2/README.markdown
E.g. to enable forbidding all scripts if you don't use any scripts, or
allow scripts from your separate static content domain, etc.]]> Kim Alvefur <zash@zash.se> Sun, 11 Jun 2023 14:06:28 +0200 https://soft.trung.fun/code/prosody-modules/log/ae20da6d377d/mod_http_oauth2/README.markdown
Links are good.]]> Kim Alvefur <zash@zash.se> Sun, 11 Jun 2023 14:03:27 +0200 https://soft.trung.fun/code/prosody-modules/log/fcef6263acdb/mod_http_oauth2/README.markdown
To make them more recognisable as code things.]]> Kim Alvefur <zash@zash.se> Sun, 11 Jun 2023 14:02:47 +0200 https://soft.trung.fun/code/prosody-modules/log/ef1ae6390742/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Wed, 07 Jun 2023 01:51:23 +0200 https://soft.trung.fun/code/prosody-modules/log/67448e677706/mod_http_oauth2/README.markdown
This module implements the Authorization Server parts of OAuth 2.0, so
having the summary say that seems sensible.]]> Kim Alvefur <zash@zash.se> Wed, 07 Jun 2023 01:43:35 +0200 https://soft.trung.fun/code/prosody-modules/log/56803acfa638/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Fri, 02 Jun 2023 08:59:29 +0200 https://soft.trung.fun/code/prosody-modules/log/209299fd81e1/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Thu, 01 Jun 2023 20:02:45 +0200 https://soft.trung.fun/code/prosody-modules/log/37621c6e5c08/mod_http_oauth2/README.markdown
Previously quite a compact block of text, maybe this is easier to read.]]> Kim Alvefur <zash@zash.se> Thu, 01 Jun 2023 19:55:36 +0200 https://soft.trung.fun/code/prosody-modules/log/efe9e741f222/mod_http_oauth2/README.markdown
The s in the scheme should not be there, only unencrypted http to
loopback interface is allowed.]]> Kim Alvefur <zash@zash.se> Thu, 01 Jun 2023 19:37:17 +0200 https://soft.trung.fun/code/prosody-modules/log/1bcf755c7bae/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Fri, 26 May 2023 15:49:39 +0200 https://soft.trung.fun/code/prosody-modules/log/cae3bb3dd45f/mod_http_oauth2/README.markdown
Because they go a bit further than the basics in the RFC]]> Kim Alvefur <zash@zash.se> Fri, 26 May 2023 15:48:02 +0200 https://soft.trung.fun/code/prosody-modules/log/1c78a97a1091/mod_http_oauth2/README.markdown
This will be the first step towards defining a standard set of XMPP
scopes. "xmpp" behaves as an alias for the user's default role, so that
the client does not need to know about the various prosody:* roles.]]> Kim Alvefur <zash@zash.se> Wed, 17 May 2023 19:40:27 +0200 https://soft.trung.fun/code/prosody-modules/log/66e13e79928b/mod_http_oauth2/README.markdown
Notably we don't have an JSON Web Key Set, since we use the client
secret in the HS256 algorithm.]]> Kim Alvefur <zash@zash.se> Wed, 17 May 2023 17:56:56 +0200 https://soft.trung.fun/code/prosody-modules/log/2a11f590c5c8/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Wed, 17 May 2023 17:38:18 +0200 https://soft.trung.fun/code/prosody-modules/log/2393dbae51ed/mod_http_oauth2/README.markdown
Meant to simplify configuration, since TTL vs ignoring expiration is
expected to be the main thing one would want to configure.

Unsure what the implications of having unlimited lifetime of clients
are, given no way to revoke them currently, short of rotating the
signing secret.

On one hand, it would be annoying to have the client expire.
On the other hand, it is trivial to re-register it.]]> Kim Alvefur <zash@zash.se> Thu, 04 May 2023 18:41:33 +0200 https://soft.trung.fun/code/prosody-modules/log/644b2f2b9b52/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Tue, 02 May 2023 19:06:17 +0200 https://soft.trung.fun/code/prosody-modules/log/3989c57cc551/mod_http_oauth2/README.markdown
These are for the Authorization Server, here the same as the XMPP
server.]]> Kim Alvefur <zash@zash.se> Tue, 02 May 2023 17:01:02 +0200 https://soft.trung.fun/code/prosody-modules/log/b40f29ec391a/mod_http_oauth2/README.markdown
You'd pretty much only want this to disable the 'plain' method, since it
doesn't seem to add that much security?]]> Kim Alvefur <zash@zash.se> Sat, 29 Apr 2023 13:09:49 +0200 https://soft.trung.fun/code/prosody-modules/log/df11a2cbc7b7/mod_http_oauth2/README.markdown
Likely to become mandatory in OAuth 2.1.

Backwards compatible since the default 'plain' verifier would compare
nil with nil if the relevant parameters are left out.]]> Kim Alvefur <zash@zash.se> Sat, 29 Apr 2023 13:09:46 +0200 https://soft.trung.fun/code/prosody-modules/log/dd8616e68cb3/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Fri, 07 Apr 2023 15:21:33 +0200 https://soft.trung.fun/code/prosody-modules/log/4fc3277a914d/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Fri, 07 Apr 2023 11:38:46 +0200 https://soft.trung.fun/code/prosody-modules/log/8501baa7ef3f/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Fri, 07 Apr 2023 11:37:58 +0200 https://soft.trung.fun/code/prosody-modules/log/80ecba092027/mod_http_oauth2/README.markdown Matthew Wild <mwild1@gmail.com> Thu, 06 Apr 2023 17:24:16 +0100 https://soft.trung.fun/code/prosody-modules/log/3235b8bd1e55/mod_http_oauth2/README.markdown
luarocks needs this extra metadata]]> Kim Alvefur <zash@zash.se> Mon, 06 Mar 2023 15:55:11 +0100 https://soft.trung.fun/code/prosody-modules/log/164a9875935b/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Fri, 03 Mar 2023 22:48:14 +0100 https://soft.trung.fun/code/prosody-modules/log/df3d521e3c39/mod_http_oauth2/README.markdown Kim Alvefur <zash@zash.se> Mon, 11 Apr 2022 00:19:48 +0200 https://soft.trung.fun/code/prosody-modules/log/cfeb93b80621/mod_http_oauth2/README.markdown Matthew Wild <mwild1@gmail.com> Sun, 23 Feb 2020 21:36:53 +0000