mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Per draft-ietf-oauth-v2-1-08#section-8.4.2 > The authorization server MUST allow any port to be specified at the > time of the request for loopback IP redirect URIs, to accommodate > clients that obtain an available ephemeral port from the operating > system at the time of the request. Uncertain if it should normalize the host part, but it also seems harmless to treat IPv6 and IPv4 the same here. One thing is that "localhost" is NOT RECOMMENDED because it can sometimes be pointed to non-loopback interfaces via DNS or hosts file.

mod_http_oauth2: Add FIXME about loopback redirect URIs I assume you can't possibly pre-register every port

mod_http_oauth2: Rename variables to improve clarity

mod_http_oauth2: Do minimal validation of private-use URI schemes Per draft-ietf-oauth-v2-1-08#section-2.3.1 > At a minimum, any private-use URI scheme that doesn't contain a period > character (.) SHOULD be rejected. Since this would rule out the OOB URI, which is useful for CLI tools and such without a built-in http server, it is explicitly allowed.

mod_http_oauth2: Reject relative redirect URIs Also prevents a nil scheme from causing trouble

mod_http_oauth2: Reject duplicate list items in client registration Useless waste of space

mod_http_oauth2: Require non-empty arrays in client registration Makes no sense to claim to support nothing.

mod_http_oauth2: Reject duplicate redirect URIs in registration

mod_http_oauth2: Fix schema to enforce at least one redirect URI minLength is for strings

mod_http_oauth2: Show only roles the user can use in consent dialog Confusing if it shows you roles you can't use.

mod_http_oauth2: Reference grant by id instead of value Fixes that the grant got mutated on use of refresh token, notably it would gain 'id' and 'jid' properties set there by mod_tokenauth. Previously also the secret token that we should not be remembering.

mod_http_oauth2: Scope FIXMEs

mod_http_oauth2: Describe type signatures of scope handling functions

mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.

mod_http_oauth2: Enforce client scope restrictions in authorization When registering a client, a scope field can be included as a promise to only ever use those. Here we enforce that promise, if given, ensuring a client can't request or be granted a scope it didn't provide in its registration. While currently there is no restrictions at registration time, this could be changed in the future in various ways.

mod_http_oauth2: Fix inclusion of role in refreshed access tokens `refresh_token_info` does not carry the role, and due to behavior prior to prosody trunk rev a1ba503610ed it would have reverted to the users' default role. After that it instead issues a token without role which is thus not usable with e.g. mod_rest

mod_http_oauth2: Fix unintentional persistence

mod_auth_oauth_external: Update compatibility section with unknowns The PLAIN bits may very well work, it just needs async support

mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER For consistency. The mangling should be made configurable in the future.

mod_auth_oauth_external: Stub not implemented auth module methods Not providing some of these may trigger errors on use, which is something that would be nice to fix on the Prosody side, one day.

mod_auth_oauth_external: Add Mastodon to README

mod_auth_oauth_external: Allow different username in PLAIN vs final JID Mastodon for example having email addresses usernames in login, but a different username in the service itself. Thanks to @tcit@social.tcit.fr for the pointer to a usable validation endpoint for Mastodon, allowing this to be tested.

mod_auth_oauth_external: Remove untested JID mapping This should probably be opt-in.

mod_auth_oauth_external: Remove untested role mapping This ... broke things. If brought back, it would need additional validation.

mod_auth_oauth_external: Expect XEP-0106 escaped username in PLAIN This allows entering an email address as username in some clients by escaping the @ as \40, enabling authentication against Mastodon

mod_auth_oauth_external: Make 'scope' configurable in password grant request Needed by some OAuth servers, tested here with Mastodon

mod_auth_oauth_external: Add setting for client_secret Whether this is needed may vary by OAuth provider. Mastodon for example requires it.

mod_auth_oauth_external: Work without token validation endpoint In this mode, only PLAIN is possible and the provided username is assumed to be the XMPP localpart.

mod_auth_oauth_external: Fix missing import of util.jid

mod_rest/rest.sh: Trim trailing whitespace