Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 20:56:57 +0200] rev 5457
mod_http_oauth2: Fix schema to enforce at least one redirect URI
minLength is for strings
Kim Alvefur <zash@zash.se> [Fri, 12 May 2023 11:58:20 +0200] rev 5456
mod_http_oauth2: Show only roles the user can use in consent dialog
Confusing if it shows you roles you can't use.
Kim Alvefur <zash@zash.se> [Fri, 12 May 2023 11:11:38 +0200] rev 5455
mod_http_oauth2: Reference grant by id instead of value
Fixes that the grant got mutated on use of refresh token, notably it
would gain 'id' and 'jid' properties set there by mod_tokenauth.
Previously also the secret token that we should not be remembering.
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:43:23 +0200] rev 5454
mod_http_oauth2: Scope FIXMEs
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:41:37 +0200] rev 5453
mod_http_oauth2: Describe type signatures of scope handling functions
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:40:09 +0200] rev 5452
mod_http_oauth2: Allow requesting a subset of scopes on token refresh
This enables clients to request access tokens with fewer permissions
than the grant they were given, reducing impact of token leak. Clients
could e.g. request access tokens with some privileges and immediately
revoke them after use, or other strategies.
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 19:33:44 +0200] rev 5451
mod_http_oauth2: Enforce client scope restrictions in authorization
When registering a client, a scope field can be included as a promise to
only ever use those. Here we enforce that promise, if given, ensuring a
client can't request or be granted a scope it didn't provide in its
registration. While currently there is no restrictions at registration
time, this could be changed in the future in various ways.
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:37:35 +0200] rev 5450
mod_http_oauth2: Fix inclusion of role in refreshed access tokens
`refresh_token_info` does not carry the role, and due to behavior prior
to prosody trunk rev a1ba503610ed it would have reverted to the users'
default role. After that it instead issues a token without role which is
thus not usable with e.g. mod_rest
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 15:10:44 +0200] rev 5449
mod_http_oauth2: Fix unintentional persistence
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 19:49:40 +0200] rev 5448
mod_auth_oauth_external: Update compatibility section with unknowns
The PLAIN bits may very well work, it just needs async support