mod_http_oauth2: Refactor scope handling into smaller functions Goal is to put a dropdown on the consent page with your allowed roles. Smaller functions make it easier to reuse. Readability may be improved slightly as well.

mod_http_oauth2: Add option for specifying TTL of registered clients Meant to simplify configuration, since TTL vs ignoring expiration is expected to be the main thing one would want to configure. Unsure what the implications of having unlimited lifetime of clients are, given no way to revoke them currently, short of rotating the signing secret. On one hand, it would be annoying to have the client expire. On the other hand, it is trivial to re-register it.

mod_strict_https: Add way to disable redirect Since Prosody 0.12+ does not listen on unencrypted http anymore, this is likely to cause trouble. Especially since the URL construction is problematic and awkward.

mod_strict_https: Refresh README

mod_prometheus: Wrap pointer to mod_http_openmetrics in a box

mod_listusers: Obsolete, suggest prosodyctl shell instead

mod_strict_https: Update to use modern APIs instead of monkey patching Updates one of the least recently updated modules :) Mapping HTTP Host to Prosody host remains awkward.

mod_http_oauth2: Link to RFC 7009: OAuth 2.0 Token Revocation

mod_http_oauth2: Add service documentation URL to metadata This is aimed to those building integrations, so the modules site seems appropriate. Configurable so that a deployment can point to their own OAuth documentation.

mod_http_oauth2: Allow configuring links to policy and terms in metadata These are for the Authorization Server, here the same as the XMPP server.

mod_http_oauth2: Don't issue client_secret when not using authentication This is pretty much only for implicit flow, which is considered insecure anyway, so this is of limited value. If we delete all the implicit flow code, this could be reverted.

mod_http_oauth2: Validate consistency of response and grant types Ensure that these correlated fields make sense per RFC 7591 § 2.1, even though we currently only check the response type during authorization. This could probably all be deleted if (when!) we remove the implicit grant, since then these things don't make any sense anymore.

mod_http_oauth2: Enforce response type encoded in client_id The client promises to only use this response type, so we should hold them to that. This makes it fail earlier if the response type is disabled or the client is trying to use one that it promised not to use. Better than failing after login and consent.

mod_http_oauth2: Strip unknown extra fields from client registration We shouldn't sign things we don't understand! RFC 7591 section-2 states: > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). Prevents grandfathering in of unvalidated data that might become used later, especially since the 'additionalProperties' schema keyword was removed in 698fef74ce53

mod_http_oauth2: Simplify validation of various URIs Why: diffstat How: Reuse of the redirect_uri_allowed() function

mod_http_oauth2: More appropriate error conditions in client validation Specified in RFC7591 for these kinds of issues.

mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.

mod_http_oauth2: Reduce line count of metadata construction More compact and readable than long if-then chains

mod_http_oauth2: Advertise response modes Are you supposed to be able to influence these somewhere, or is this just response types with different labels?

mod_http_oauth2: Advertise supported grant types Seems redundant, since it's just the response types with other labels.

mod_http_oauth2: Advertise revocation endpoint in metadata How were you supposed to know this was supported otherwise? It support Basic auth and ... none?

mod_http_oauth2: Return status 405 for GET to endpoints without GET handler Endpoints that only do POST have the weird side effect that a GET query to them return 404, which doesn't quite feel like the right semantics.

mod_inotify_reload: Update to use FD watching method This removes the need to present a fake socket interface, simplifying everything.

mod_http_oauth2: Allow loopback IP literals in redirect URIs Previously only exactly "http://localhost" was allowed, but RFC 8252 seems to recommend both ::1 and 127.0.0.1 be allowed.

mod_http_oauth2: Add way to retrieve registration schema Mostly for convenience and to fill the void otherwise and drive the awkward fallback to 404 away.

mod_http_oauth2: Fix missing base64 part of base64url (Thanks KeyCloak) Obligatory bugs in untested code.

mod_http_oauth2: Fix accidental uppercase in invocation of hash function Thanks auto-complete!

mod_http_oauth2: Advertise the currently supported id_token signing algorithm This field is REQUIRED. The algorithm RS256 MUST be included, but isn't because we don't implement it, as that would require implementing a pile of additional cryptography and JWT stuff. Instead the id_token is signed using the client secret, which allows verification by the client, since it's a shared secret per OpenID Connect Core 1.0 § 10.1 under Symmetric Signatures. OpenID Connect Discovery 1.0 has a lot of REQUIRED and MUST clauses that are not supported here, but that's okay because this is served from the RFC 8414 OAuth 2.0 Authorization Server Metadata .well-known endpoint!

mod_http_oauth2: Specify that 'contacts' items are emails in client registration Not enforced, but good for documentation. > Array of strings representing ways to contact people responsible for > this client, typically email addresses. "typically" isn't a great word in a specification, so one could persume this may be e.g. URLs like https://example.com/contact-us or so as well.

Back out 6f13200c9fc1: Confused request URI with redirect URI redirect_uris is already marked as required in RFC7591

mod_rest/rest.sh: Implement RFC 7636 PKCE with the 'plain' method The S256 code challenge method left as a future exercise.

mod_http_oauth2: Advertise required registration of redirect URIs Specified in OpenID Connect Discovery 1.0 Seems important to be aware of when registering a client.

mod_http_oauth2: Advertise supported token endpoint auth methods

mod_http_oauth2: Allow configuring PKCE challenge methods You'd pretty much only want this to disable the 'plain' method, since it doesn't seem to add that much security?

mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Likely to become mandatory in OAuth 2.1. Backwards compatible since the default 'plain' verifier would compare nil with nil if the relevant parameters are left out.

mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0 Since I usually start here to remember the order of things, might as well turn it into a mini step by step guide :)

mod_firewall: Initialize compiled chunk just once for all handlers This should fix a case where some stateful dependencies (such as throttles) produce separate instances for every call to new_handler(), leading to surprising behaviour (e.g. rules executed via JUMP CHAIN vs ::deliver would have separate rate limits). This also adds better error handling in case the compiled code fails to run for some reason.

mod_rest/rest.sh: Set software_id in client registration to something Mostly just for exercising the extra fields.

mod_rest/rest.sh: Include .sh suffix in client registration Slight improvement in how the text in mod_http_oauth2 templates reads.

mod_http_oauth2: Record OAuth software id and version attached to tokens Unsure if these are used anywhere, but `software_id` is supposedly more unique than `client_uri` which can vary by registration or something? Software versions can also be good to know e.g. in case there is a security issue affecting certain versions that could warrant revocation of tokens issued to it.

mod_http_oauth2: Fix misplaced 'default' on wrong side of } in client registration schema

mod_remote_roster: Set id on generated iq stanzas (thanks @agwa) Fixes 'iq stanzas require an id attribute' error from util.stanza.

mod_http_oauth2: Fix to include "openid" scope in discovery metadata The "openid" scope was left out of openid_claims since it is treated differently from the other scopes.

mod_client_management: Show time for recent timestamps in shell command Semi-fuzzy time is nice

mod_client_management: Fix changed column cell "key" Forgot to change in b2d51c6ae89a

mod_client_management: Fix error when called against host without this module Previously: prosody> user:clients("user@example.org") | Result: 1

mod_client_management: Move table cell formatting into column specification It's only more lines because of lua-format!

mod_client_management: Fix type confusion client_selector : string, not some sort of table?

mod_client_management: Fix error when last password change is unknown (or never) Fixes attempt to compare nil with number here, due to last_password_change being nil

mod_rest/rest.sh: Register as native application Otherwise the custom nonstandard URI would be rejected per the last commit to mod_http_oauth2

mod_http_oauth2: Validate redirect URI depending on application type Per https://openid.net/specs/openid-connect-registration-1_0.html require that web applications use https:// and native applications must use either http://localhost or a custom (non-https) URI. Previous requirement that hostname matches that of client_uri is kept for web applications.

mod_http_oauth2: Fill in some client metadata defaults Explicit > Implicit Maybe we should actually use these for something as well? :) It's is somewhat an open question of how strictly we should enforce things in the client metadata given that it is somewhat extensible. Especially some of these enum fields which have corresponding IANA registries.

mod_http_oauth2: Allow only l10n variants of name in client metadata Since "client_name" seems to be the only human readable non-URI property that makes sense to have localized version of. Therefore it seems excessive to allow arbitrary additionalProperties. We don't make use of localized versions of client_name and URIs yet, but it would be nice to do so.

mod_http_oauth2: Normalize whitespace in client metadata schema Random extra whitespace?

mod_log_ringbuffer: Fix description and examples of level configuration

mod_log_ringbuffer: Fix example config

mod_oidc_userinfo_vcard4: Fix phone number claim Copy-paste mistake probably

mod_oidc_userinfo_vcard4: Unpack <vcard> from PubSub <item> Forgot about the <item>, so it was previously attempting to extract all properties from that instead of the inner <vcard>

mod_http_oauth2: Use new Lua pattern schema properties

mod_http_oauth2: Include additional OpenID scopes in metadata Drops fallback because this module probably doesn't work with Prosody before the role stuff anyway.

mod_http_oauth2: Validate (unused at this point) localized URIs Client registration may include keys of the form "some_uri#lang-code" pointing to alternate language versions of the various URIs. We don't use this yet but the same validation should apply.

mod_http_oauth2: Declare https as required of URIs in schema If util.jsonschema happens to gain support for 'pattern' (regular expression validation) then this would be picked up. Until then, declarative annotations are nice.

mod_http_oauth2: Enforce https requirement on TOS URI In create_client() it validates that all fields with format=uri are https and match the client_uri host.

mod_http_oauth2: Use new mod_cron API for periodic cleanup Less frequent but this isn't that important after all since, as the comment states, expired codes are not usable anyway. They're also not that large so memory usage probably doesn't matter.

mod_audit_status: Fix error on first start Fixes 'attempt to index a nil value' the first time this module is loaded, since there's no data yet.

mod_muc_rtbl: Use correct occupant object There is no 'occupant' property for this event.

mod_audit: Move underscore to avoid luacheck warning Underscore as prefix is taken as a signal that the variable is unused, but then it is used and luacheck makes noise about that.

mod_oidc_userinfo_vcard4: Provide profile details in mod_http_oauth2

mod_auth_oauth_external: Add configuration example

mod_auth_oauth_external: Linkify password grant

mod_auth_oauth_external: Some notes in README

mod_auth_oauth_external: Allow setting identity instead of discovery URL Shorter and the .well-known part is, well, well-known.

mod_auth_oauth_external: Support PLAIN via resource owner password grant Might not be supported by the backend but PLAIN is the lowest common denominator, so not having it would lock out a lot of clients.

mod_auth_oauth_external: Authenticate against an OAuth 2 provider But suddenly unsure whether this constitutes an OAuth "client" or something else? Resource server maybe?

mod_client_management: Fix import of util.error (not errors)

mod_rest: Implement use of refresh tokens in rest.sh example Because having access tokens expire daily was becoming annoying. Now this is starting to be in dire need of refactoring.

mod_http_oauth2: Fix error due to reference loop when using refresh token

mod_http_oauth2: Fix table index error when using refresh token

mod_muc_http_defaults: Use the new set_subject API. Thanks John Livingston

mod_service_outage_status: XEP-0455: Service Outage Status Only the out of band part so far. The in-band pubsub part would need '+notify' support in mod_pubsub, since mod_pep does not serve the bare-host-JID. All the hard parts of this XEP is elsewhere, i.e. hosting the document somewhere reliable.

mod_http_oauth2: Support OpenID UserInfo claims Actually filling in those details is left to another module because I don't really wanna mix in a dependency on PEP or mod_vcard here, those implementation details can be in a second module. Some might want to fill this from LDAP or something as well.

mod_http_oauth2: Add some debug logging for UserInfo endpoint

mod_http_oauth2: Correct error code when missing credentials for userinfo

mod_rest: Get correct type from config Autocomplete?

mod_http_debug: Module that echos back HTTP request info for debugging Written in 2021 for debugging some reverse proxy issue on https://chat.prosody.im/

mod_rest: Allow passing configuring a timeout for <iq> responses The default 2 minutes is not how long you want to wait, sometimes.

mod_audit: Add expiration of entries, and handling of full archive stores

mod_rest/rest.sh: Update 'client_uri' to module page This started as a convenience wrapper for httpie + mod_rest that eventually grew OAuth support.

mod_rest/rest.sh: List dependencies in comment

mod_http_oauth2/README: Add rest.sh to known implementations

mod_audit: Add 'note' column

mod_audit: Improve filtering options and add documentation to README

mod_audit: Add some control over output columns via command-line flags

mod_audit_status: Include shutdown reason in log entry

mod_audit: Let util.human.io pick a suitable default width It supports better width detection now.

mod_audit: Use proportional columns in table output

mod_audit: Fix iteration of custom payloads to use ipairs

mod_audit_status: New module to log server status to audit log

mod_audit: Display most recent entries first, rather than showing oldest This matches the output of 'lastb'.

mod_audit: Minor style nit

mod_audit: Allow caller to specify time of the event

mod_http_oauth2/README: Link to mod_rest

mod_http_oauth2/README: Link to OAuth and OIDC sites

mod_client_management: README: Update docs to detail shell and XMPP interfaces

mod_http_oauth2: README: Updated documentation to reflect module status

mod_client_management: Add list-clients + manage-clients permissions to users

mod_client_management: Add support for revoking client access via XMPP

mod_client_management: Improve representation of authentication methods

mod_client_management: Improve table output Requires 1f89a2a9f532 and 1023c3faffac from Prosody.

mod_client_management: Fix user:clients() shell command to take a JID

mod_client_management: Use grant id from key This is a minor tweak - it's faster and preserves compatibility with older data formats (that we don't necessarily want to be compatible with, but some of us have messy data stores and it pays to be a little more robust).

mod_client_management: Fail to revoke clients that have used passwords Return an error so the caller can take appropriate action, e.g. encouraging the user to change their password.

mod_client_management: Add support for revocation of clients (when possible) We decided to keep the unified listing of "clients", which includes both SASL2 clients and OAuth grants, etc. To a user, or someone wanting to manage what can access their account, they are largely equivalent. To accomplish this technically, we add a prefix to the id to state what type it really is.

mod_client_management: Include client type in XML response listing

mod_sasl2_fast: Add API method to revoke FAST tokens for a given client

mod_cloud_notify_filters: Fix traceback when invalid JIDs are submitted

mod_client_management: Add XMPP and shell interfaces to fetch client list

.luacheckrc: Add module.once

mod_audit: Add a command to print the audit log on the command-line

mod_audit: Support for adding location (GeoIP) to audit events This can be more privacy-friendly than logging full IP addresses, and also more informative to a user - IP addresses don't mean much to the average person, however if they see activity from outside their expected country, they can immediately identify suspicious activity. As with IPs, this field is configurable for deployments that would like to disable it. Location is also not logged when the geoip library is not available.