Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:19:25 +0200] rev 5474
mod_http_oauth2: Use error status code when rendering error page
Shouldn't include a 200 OK status code when showing an error.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:03:09 +0200] rev 5473
mod_http_oauth2: Add human-readable error messages
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 12:57:23 +0200] rev 5472
mod_http_oauth2: Fix returning errors from response handlers
This would either redirect the user back to the client along with the
error code, or show the error HTML template.
Previously this would just show some JSON to the user.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 19:40:27 +0200] rev 5471
mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role
This will be the first step towards defining a standard set of XMPP
scopes. "xmpp" behaves as an alias for the user's default role, so that
the client does not need to know about the various prosody:* roles.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 18:49:22 +0200] rev 5470
mod_http_oauth2: Add support for the OpenID 'login_hint' parameter
This allows the client to suggest to the authorization screen which user
is trying to login, so they don't have to fill that in twice if they
already did so at the client.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 17:56:56 +0200] rev 5469
mod_http_oauth2: Note about partial OpenID Discovery implementation
Notably we don't have an JSON Web Key Set, since we use the client
secret in the HS256 algorithm.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 17:38:18 +0200] rev 5468
mod_http_oauth2: Split long list line in README
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 16:40:07 +0200] rev 5467
mod_http_oauth2: Proper OAuth error for invalid redirect URI in implicit flow too
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 16:34:19 +0200] rev 5466
mod_http_oauth2: Return proper OAuth error for invalid redirect URI
An unspecific status code of 400 isn't very helpful, this should at
least provide a hint as to what is wrong.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 13:51:30 +0200] rev 5465
mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs
Per draft-ietf-oauth-v2-1-08#section-8.4.2
> The authorization server MUST allow any port to be specified at the
> time of the request for loopback IP redirect URIs, to accommodate
> clients that obtain an available ephemeral port from the operating
> system at the time of the request.
Uncertain if it should normalize the host part, but it also seems
harmless to treat IPv6 and IPv4 the same here.
One thing is that "localhost" is NOT RECOMMENDED because it can
sometimes be pointed to non-loopback interfaces via DNS or hosts file.