Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 13:51:30 +0200] rev 5465
mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs
Per draft-ietf-oauth-v2-1-08#section-8.4.2
> The authorization server MUST allow any port to be specified at the
> time of the request for loopback IP redirect URIs, to accommodate
> clients that obtain an available ephemeral port from the operating
> system at the time of the request.
Uncertain if it should normalize the host part, but it also seems
harmless to treat IPv6 and IPv4 the same here.
One thing is that "localhost" is NOT RECOMMENDED because it can
sometimes be pointed to non-loopback interfaces via DNS or hosts file.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 00:55:50 +0200] rev 5464
mod_http_oauth2: Add FIXME about loopback redirect URIs
I assume you can't possibly pre-register every port
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 00:09:37 +0200] rev 5463
mod_http_oauth2: Rename variables to improve clarity
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 22:18:12 +0200] rev 5462
mod_http_oauth2: Do minimal validation of private-use URI schemes
Per draft-ietf-oauth-v2-1-08#section-2.3.1
> At a minimum, any private-use URI scheme that doesn't contain a period
> character (.) SHOULD be rejected.
Since this would rule out the OOB URI, which is useful for CLI tools and
such without a built-in http server, it is explicitly allowed.
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 22:16:39 +0200] rev 5461
mod_http_oauth2: Reject relative redirect URIs
Also prevents a nil scheme from causing trouble
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:10:55 +0200] rev 5460
mod_http_oauth2: Reject duplicate list items in client registration
Useless waste of space
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:09:38 +0200] rev 5459
mod_http_oauth2: Require non-empty arrays in client registration
Makes no sense to claim to support nothing.
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:04:31 +0200] rev 5458
mod_http_oauth2: Reject duplicate redirect URIs in registration
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 20:56:57 +0200] rev 5457
mod_http_oauth2: Fix schema to enforce at least one redirect URI
minLength is for strings
Kim Alvefur <zash@zash.se> [Fri, 12 May 2023 11:58:20 +0200] rev 5456
mod_http_oauth2: Show only roles the user can use in consent dialog
Confusing if it shows you roles you can't use.
Kim Alvefur <zash@zash.se> [Fri, 12 May 2023 11:11:38 +0200] rev 5455
mod_http_oauth2: Reference grant by id instead of value
Fixes that the grant got mutated on use of refresh token, notably it
would gain 'id' and 'jid' properties set there by mod_tokenauth.
Previously also the secret token that we should not be remembering.
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:43:23 +0200] rev 5454
mod_http_oauth2: Scope FIXMEs
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:41:37 +0200] rev 5453
mod_http_oauth2: Describe type signatures of scope handling functions
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:40:09 +0200] rev 5452
mod_http_oauth2: Allow requesting a subset of scopes on token refresh
This enables clients to request access tokens with fewer permissions
than the grant they were given, reducing impact of token leak. Clients
could e.g. request access tokens with some privileges and immediately
revoke them after use, or other strategies.
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 19:33:44 +0200] rev 5451
mod_http_oauth2: Enforce client scope restrictions in authorization
When registering a client, a scope field can be included as a promise to
only ever use those. Here we enforce that promise, if given, ensuring a
client can't request or be granted a scope it didn't provide in its
registration. While currently there is no restrictions at registration
time, this could be changed in the future in various ways.
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:37:35 +0200] rev 5450
mod_http_oauth2: Fix inclusion of role in refreshed access tokens
`refresh_token_info` does not carry the role, and due to behavior prior
to prosody trunk rev a1ba503610ed it would have reverted to the users'
default role. After that it instead issues a token without role which is
thus not usable with e.g. mod_rest
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 15:10:44 +0200] rev 5449
mod_http_oauth2: Fix unintentional persistence
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 19:49:40 +0200] rev 5448
mod_auth_oauth_external: Update compatibility section with unknowns
The PLAIN bits may very well work, it just needs async support
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 19:33:37 +0200] rev 5447
mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER
For consistency.
The mangling should be made configurable in the future.
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 19:11:25 +0200] rev 5446
mod_auth_oauth_external: Stub not implemented auth module methods
Not providing some of these may trigger errors on use, which is
something that would be nice to fix on the Prosody side, one day.
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 18:32:47 +0200] rev 5445
mod_auth_oauth_external: Add Mastodon to README
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 13:52:31 +0200] rev 5444
mod_auth_oauth_external: Allow different username in PLAIN vs final JID
Mastodon for example having email addresses usernames in login, but a
different username in the service itself.
Thanks to @tcit@social.tcit.fr for the pointer to a usable validation
endpoint for Mastodon, allowing this to be tested.
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 13:45:28 +0200] rev 5443
mod_auth_oauth_external: Remove untested JID mapping
This should probably be opt-in.
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 13:43:59 +0200] rev 5442
mod_auth_oauth_external: Remove untested role mapping
This ... broke things. If brought back, it would need additional
validation.
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 12:55:13 +0200] rev 5441
mod_auth_oauth_external: Expect XEP-0106 escaped username in PLAIN
This allows entering an email address as username in some clients by
escaping the @ as \40, enabling authentication against Mastodon
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 12:39:05 +0200] rev 5440
mod_auth_oauth_external: Make 'scope' configurable in password grant request
Needed by some OAuth servers, tested here with Mastodon
Kim Alvefur <zash@zash.se> [Mon, 08 May 2023 20:12:43 +0200] rev 5439
mod_auth_oauth_external: Add setting for client_secret
Whether this is needed may vary by OAuth provider. Mastodon for example
requires it.
Kim Alvefur <zash@zash.se> [Mon, 08 May 2023 20:01:34 +0200] rev 5438
mod_auth_oauth_external: Work without token validation endpoint
In this mode, only PLAIN is possible and the provided username is
assumed to be the XMPP localpart.
Kim Alvefur <zash@zash.se> [Mon, 08 May 2023 19:57:10 +0200] rev 5437
mod_auth_oauth_external: Fix missing import of util.jid
Kim Alvefur <zash@zash.se> [Sun, 07 May 2023 20:44:44 +0200] rev 5436
mod_rest/rest.sh: Trim trailing whitespace