author | Kim Alvefur <zash@zash.se> |
Tue, 02 May 2023 16:23:05 +0200 | |
changeset 5407 | c574aaaa4d57 |
parent 5388 | b40f29ec391a |
child 5412 | 3989c57cc551 |
permissions | -rw-r--r-- |
3907
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 |
--- |
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
labels: |
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
- Stage-Alpha |
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
summary: 'OAuth2 API' |
5216
3235b8bd1e55
mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents:
5201
diff
changeset
|
5 |
rockspec: |
3235b8bd1e55
mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents:
5201
diff
changeset
|
6 |
build: |
3235b8bd1e55
mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents:
5201
diff
changeset
|
7 |
copy_directories: |
3235b8bd1e55
mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents:
5201
diff
changeset
|
8 |
- html |
3907
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
... |
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
|
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
11 |
## Introduction |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
12 |
|
5319
8501baa7ef3f
mod_http_oauth2/README: Link to OAuth and OIDC sites
Kim Alvefur <zash@zash.se>
parents:
5317
diff
changeset
|
13 |
This module implements an [OAuth2](https://oauth.net/2/)/[OpenID Connect |
8501baa7ef3f
mod_http_oauth2/README: Link to OAuth and OIDC sites
Kim Alvefur <zash@zash.se>
parents:
5317
diff
changeset
|
14 |
(OIDC)](https://openid.net/connect/) provider HTTP frontend on top of |
8501baa7ef3f
mod_http_oauth2/README: Link to OAuth and OIDC sites
Kim Alvefur <zash@zash.se>
parents:
5317
diff
changeset
|
15 |
Prosody's usual internal authentication backend. |
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
16 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
17 |
OAuth and OIDC are web standards that allow you to provide clients and |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
18 |
third-party applications limited access to your account, without sharing your |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
19 |
password with them. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
20 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
21 |
With this module deployed, software that supports OAuth can obtain "access |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
22 |
tokens" from Prosody which can then be used to connect to XMPP accounts using |
5320
4fc3277a914d
mod_http_oauth2/README: Link to mod_rest
Kim Alvefur <zash@zash.se>
parents:
5319
diff
changeset
|
23 |
the 'OAUTHBEARER' SASL mechanism or via non-XMPP interfaces such as [mod_rest]. |
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
24 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
25 |
Although this module has been around for some time, it has recently been |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
26 |
significantly extended and largely rewritten to support OAuth/OIDC more fully. |
3907
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
|
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
28 |
As of April 2023, it should be considered **alpha** stage. It works, we have |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
29 |
tested it, but it has not yet seen wider review, testing and deployment. At |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
30 |
this stage we recommend it for experimental and test deployments only. For |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
31 |
specific information, see the [deployment notes section](#deployment-notes) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
32 |
below. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
33 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
34 |
Known client implementations: |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
35 |
|
5332
dd8616e68cb3
mod_http_oauth2/README: Add rest.sh to known implementations
Kim Alvefur <zash@zash.se>
parents:
5320
diff
changeset
|
36 |
- [example shell script for mod_rest](https://hg.prosody.im/prosody-modules/file/tip/mod_rest/example/rest.sh) |
dd8616e68cb3
mod_http_oauth2/README: Add rest.sh to known implementations
Kim Alvefur <zash@zash.se>
parents:
5320
diff
changeset
|
37 |
- *(we need you!)* |
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
38 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
39 |
Support for OAUTHBEARER has been added to the Lua XMPP library, [verse](https://code.matthewwild.co.uk/verse). |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
40 |
If you know of additional implementations, or are motivated to work on one, |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
41 |
please let us know! We'd be happy to help (e.g. by providing a test server). |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
42 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
43 |
## Standards support |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
44 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
45 |
Notable supported standards: |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
46 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
47 |
- [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
48 |
- [RFC 7628: A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth](https://www.rfc-editor.org/rfc/rfc7628) |
5387
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5332
diff
changeset
|
49 |
- [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/rfc/rfc7636) |
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
50 |
- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
51 |
- [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) & [RFC 7591: OAuth 2.0 Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591.html) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
52 |
- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
53 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
54 |
## Configuration |
3907
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 |
|
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
56 |
### Interface |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
57 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
58 |
The module presents a web page to users to allow them to authenticate when |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
59 |
a client requests access. Built-in pages are provided, but you may also theme |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
60 |
or entirely override them. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
61 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
62 |
This module honours the 'site_name' configuration option that is also used by |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
63 |
a number of other modules: |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
64 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
65 |
```lua |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
66 |
site_name = "My XMPP Server" |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
67 |
``` |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
68 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
69 |
To provide custom templates, specify the path to the template directory: |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
70 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
71 |
```lua |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
72 |
oauth2_template_path = "/etc/prosody/custom-oauth2-templates" |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
73 |
``` |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
74 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
75 |
Some templates support additional variables, that can be provided by the |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
76 |
'oauth2_template_style' option: |
3907
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 |
|
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
78 |
```lua |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
79 |
oauth2_template_style = { |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
80 |
background_colour = "#ffffff"; |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
81 |
} |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
82 |
``` |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
83 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
84 |
### Token parameters |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
85 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
86 |
The following options configure the lifetime of tokens issued by the module. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
87 |
The defaults are recommended. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
88 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
89 |
```lua |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
90 |
oauth2_access_token_ttl = 86400 -- 24 hours |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
91 |
oauth2_refresh_token_ttl = nil -- unlimited unless revoked by the user |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
92 |
``` |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
93 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
94 |
### Dynamic client registration |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
95 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
96 |
To allow users to connect any compatible software, you should enable dynamic |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
97 |
client registration. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
98 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
99 |
Dynamic client registration can be enabled by configuring a JWT key. Algorithm |
5201
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
100 |
defaults to *HS256*. |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
101 |
|
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
102 |
```lua |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
103 |
oauth2_registration_key = "securely generated JWT key here" |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
104 |
oauth2_registration_algorithm = "HS256" |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
105 |
oauth2_registration_options = { default_ttl = 60 * 60 * 24 * 90 } |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
106 |
``` |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
107 |
|
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
108 |
### Supported flows |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
109 |
|
5201
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
110 |
Various flows can be disabled and enabled with |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
111 |
`allowed_oauth2_grant_types` and `allowed_oauth2_response_types`: |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
112 |
|
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
113 |
```lua |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
114 |
allowed_oauth2_grant_types = { |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
115 |
"authorization_code"; -- authorization code grant |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
116 |
"password"; -- resource owner password grant |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
117 |
} |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
118 |
|
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
119 |
allowed_oauth2_response_types = { |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
120 |
"code"; -- authorization code flow |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
121 |
-- "token"; -- implicit flow disabled by default |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
122 |
} |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
123 |
``` |
164a9875935b
mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents:
4927
diff
changeset
|
124 |
|
5387
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5332
diff
changeset
|
125 |
The [Proof Key for Code Exchange][RFC 7636] mitigation method can be |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5332
diff
changeset
|
126 |
made required: |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5332
diff
changeset
|
127 |
|
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5332
diff
changeset
|
128 |
```lua |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5332
diff
changeset
|
129 |
oauth2_require_code_challenge = true |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5332
diff
changeset
|
130 |
``` |
df11a2cbc7b7
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Kim Alvefur <zash@zash.se>
parents:
5332
diff
changeset
|
131 |
|
5388
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
132 |
Further, individual challenge methods can be enabled or disabled: |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
133 |
|
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
134 |
```lua |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
135 |
allowed_oauth2_code_challenge_methods = { |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
136 |
"plain"; -- the insecure one |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
137 |
"S256"; |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
138 |
} |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
139 |
``` |
b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
Kim Alvefur <zash@zash.se>
parents:
5387
diff
changeset
|
140 |
|
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
141 |
## Deployment notes |
3907
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
142 |
|
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
143 |
### Access management |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
144 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
145 |
This module does not provide an interface for users to manage what they have |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
146 |
granted access to their account! (e.g. to view and revoke clients they have |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
147 |
previously authorized). It is recommended to join this module with |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
148 |
mod_client_management to provide such access. However, at the time of writing, |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
149 |
no XMPP clients currently support the protocol used by that module. We plan to |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
150 |
work on additional interfaces in the future. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
151 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
152 |
### Scopes |
3907
cfeb93b80621
mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
153 |
|
5317
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
154 |
OAuth supports "scopes" as a way to grant clients limited access. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
155 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
156 |
There are currently no standard scopes defined for XMPP. This is something |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
157 |
that we intend to change, e.g. by definitions provided in a future XEP. This |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
158 |
means that clients you authorize currently have unrestricted access to your |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
159 |
account (including the ability to change your password and lock you out!). So, |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
160 |
for now, while using OAuth clients can prevent leaking your password to them, |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
161 |
it is not currently suitable for connecting untrusted clients to your account. |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
162 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
163 |
## Compatibility |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
164 |
|
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
165 |
Requires Prosody trunk (April 2023), **not** compatible with Prosody 0.12 or |
80ecba092027
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com>
parents:
5216
diff
changeset
|
166 |
earlier. |