Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 17:52:10 +0100] rev 5260
mod_http_oauth2: Reject non-local hosts in more code paths
We're not issuing tokens for users on remote hosts, we can't even
authenticate them since they're remote. Thus the host is always the
local module.host so no need to pass around the host in most cases or
use it for anything but enforcing the same host.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 17:06:35 +0100] rev 5259
mod_http_oauth2: Add support for the "openid" scope
This "openid" scope is there to signal access to the userinfo endpoint,
which is needed for OIDC support.
We don't actually check this later because the userinfo endpoint only
returns info embedded in the token itself, but in the future we may want
to check this more carefully.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 17:03:48 +0100] rev 5258
mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes
This is to prepare to handle scopes like "openid" that don't map to
roles.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 14:27:46 +0100] rev 5257
mod_adhoc_oauth2_client: Make note in README about current broken state
It could plausibly be made to work again using the stateless method
internally.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 00:06:43 +0100] rev 5256
mod_http_oauth2: Fix attempt to index a boolean value
_This_ function signature strikes again
It returns true, payload, but only passed the boolean on in place of the
client, tripping up client_subset()
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 18:59:39 +0000] rev 5255
mod_audit: Allow disabling IP logging, or limiting it to a prefix
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 17:48:44 +0000] rev 5254
mod_audit: Include client id in audit log entries (if known)
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 17:13:46 +0000] rev 5253
mod_sasl2: Fire authentication-{success,failure} events like mod_saslauth
Kim Alvefur <zash@zash.se> [Tue, 14 Mar 2023 18:08:25 +0100] rev 5252
mod_http_oauth2: Record details of OAuth client a token is issued to
To enable use cases such as revoking all tokens issued to a particular
OAuth client in case of security issues, or for informative purposes
such as when listing tokens for users.
Kim Alvefur <zash@zash.se> [Sun, 12 Mar 2023 17:56:23 +0100] rev 5251
mod_http_oauth2: Invoke mod_http_errors to render error on invalid redirect
Turns out returning a table like that produces a blank page. Kinda
boring and not very helpful.