--- a/mod_http_oauth2/README.markdown Tue Nov 14 23:03:37 2023 +0100
+++ b/mod_http_oauth2/README.markdown Tue Nov 14 23:19:19 2023 +0100
@@ -224,10 +224,10 @@
```
The [Proof Key for Code Exchange][RFC 7636] mitigation method is
-optional by default but can be made required:
+required by default but can be made optional:
```lua
-oauth2_require_code_challenge = true -- default is false
+oauth2_require_code_challenge = false -- default is true
```
Further, individual challenge methods can be enabled or disabled:
@@ -235,7 +235,7 @@
```lua
-- These reflects the default
allowed_oauth2_code_challenge_methods = {
- "plain"; -- the insecure one
+ -- "plain"; -- insecure but backwards-compatible
"S256";
}
```