mod_http_oauth2: Use error status code when rendering error page Shouldn't include a 200 OK status code when showing an error.

mod_http_oauth2: Add human-readable error messages

mod_http_oauth2: Fix returning errors from response handlers This would either redirect the user back to the client along with the error code, or show the error HTML template. Previously this would just show some JSON to the user.

mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role This will be the first step towards defining a standard set of XMPP scopes. "xmpp" behaves as an alias for the user's default role, so that the client does not need to know about the various prosody:* roles.

mod_http_oauth2: Add support for the OpenID 'login_hint' parameter This allows the client to suggest to the authorization screen which user is trying to login, so they don't have to fill that in twice if they already did so at the client.

mod_http_oauth2: Note about partial OpenID Discovery implementation Notably we don't have an JSON Web Key Set, since we use the client secret in the HS256 algorithm.

mod_http_oauth2: Split long list line in README

mod_http_oauth2: Proper OAuth error for invalid redirect URI in implicit flow too

mod_http_oauth2: Return proper OAuth error for invalid redirect URI An unspecific status code of 400 isn't very helpful, this should at least provide a hint as to what is wrong.

mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Per draft-ietf-oauth-v2-1-08#section-8.4.2 > The authorization server MUST allow any port to be specified at the > time of the request for loopback IP redirect URIs, to accommodate > clients that obtain an available ephemeral port from the operating > system at the time of the request. Uncertain if it should normalize the host part, but it also seems harmless to treat IPv6 and IPv4 the same here. One thing is that "localhost" is NOT RECOMMENDED because it can sometimes be pointed to non-loopback interfaces via DNS or hosts file.