equal
deleted
inserted
replaced
222 -- "token"; -- implicit flow disabled by default |
222 -- "token"; -- implicit flow disabled by default |
223 } |
223 } |
224 ``` |
224 ``` |
225 |
225 |
226 The [Proof Key for Code Exchange][RFC 7636] mitigation method is |
226 The [Proof Key for Code Exchange][RFC 7636] mitigation method is |
227 optional by default but can be made required: |
227 required by default but can be made optional: |
228 |
228 |
229 ```lua |
229 ```lua |
230 oauth2_require_code_challenge = true -- default is false |
230 oauth2_require_code_challenge = false -- default is true |
231 ``` |
231 ``` |
232 |
232 |
233 Further, individual challenge methods can be enabled or disabled: |
233 Further, individual challenge methods can be enabled or disabled: |
234 |
234 |
235 ```lua |
235 ```lua |
236 -- These reflects the default |
236 -- These reflects the default |
237 allowed_oauth2_code_challenge_methods = { |
237 allowed_oauth2_code_challenge_methods = { |
238 "plain"; -- the insecure one |
238 -- "plain"; -- insecure but backwards-compatible |
239 "S256"; |
239 "S256"; |
240 } |
240 } |
241 ``` |
241 ``` |
242 |
242 |
243 ### Policy documents |
243 ### Policy documents |