Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:23:40 +0200] rev 5408
mod_http_oauth2: Strip unknown extra fields from client registration
We shouldn't sign things we don't understand!
RFC 7591 section-2 states:
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
Prevents grandfathering in of unvalidated data that might become used
later, especially since the 'additionalProperties' schema keyword was
removed in 698fef74ce53
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:23:05 +0200] rev 5407
mod_http_oauth2: Simplify validation of various URIs
Why: diffstat
How: Reuse of the redirect_uri_allowed() function
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:22:17 +0200] rev 5406
mod_http_oauth2: More appropriate error conditions in client validation
Specified in RFC7591 for these kinds of issues.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:20:55 +0200] rev 5405
mod_http_oauth2: Reject loopback URIs as client_uri
This really should be a proper website with info, https://localhost is
not good enough. Ideally we'd validate that it's got proper DNS and is
actually reachable, but triggering HTTP or even DNS lookups seems like
it would carry abuse potential that would best to avoid.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:14:22 +0200] rev 5404
mod_http_oauth2: Reduce line count of metadata construction
More compact and readable than long if-then chains
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:08:35 +0200] rev 5403
mod_http_oauth2: Advertise response modes
Are you supposed to be able to influence these somewhere, or is this
just response types with different labels?
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:07:09 +0200] rev 5402
mod_http_oauth2: Advertise supported grant types
Seems redundant, since it's just the response types with other labels.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 15:41:36 +0200] rev 5401
mod_http_oauth2: Advertise revocation endpoint in metadata
How were you supposed to know this was supported otherwise?
It support Basic auth and ... none?
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 17:04:55 +0200] rev 5400
mod_http_oauth2: Return status 405 for GET to endpoints without GET handler
Endpoints that only do POST have the weird side effect that a GET query
to them return 404, which doesn't quite feel like the right semantics.
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 20:34:36 +0200] rev 5399
mod_inotify_reload: Update to use FD watching method
This removes the need to present a fake socket interface, simplifying
everything.