Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 00:06:43 +0100] rev 5256
mod_http_oauth2: Fix attempt to index a boolean value
_This_ function signature strikes again
It returns true, payload, but only passed the boolean on in place of the
client, tripping up client_subset()
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 18:59:39 +0000] rev 5255
mod_audit: Allow disabling IP logging, or limiting it to a prefix
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 17:48:44 +0000] rev 5254
mod_audit: Include client id in audit log entries (if known)
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 17:13:46 +0000] rev 5253
mod_sasl2: Fire authentication-{success,failure} events like mod_saslauth
Kim Alvefur <zash@zash.se> [Tue, 14 Mar 2023 18:08:25 +0100] rev 5252
mod_http_oauth2: Record details of OAuth client a token is issued to
To enable use cases such as revoking all tokens issued to a particular
OAuth client in case of security issues, or for informative purposes
such as when listing tokens for users.
Kim Alvefur <zash@zash.se> [Sun, 12 Mar 2023 17:56:23 +0100] rev 5251
mod_http_oauth2: Invoke mod_http_errors to render error on invalid redirect
Turns out returning a table like that produces a blank page. Kinda
boring and not very helpful.
Kim Alvefur <zash@zash.se> [Sun, 12 Mar 2023 12:06:44 +0100] rev 5250
mod_http_oauth2: Validate all URIs against client_uri in client registration
Validating against all redirect URIs didn't work for OOB-only clients,
which happens to be what I was testing with.
Kim Alvefur <zash@zash.se> [Sun, 12 Mar 2023 11:27:29 +0100] rev 5249
mod_http_oauth2: Organize HTTP routes with comments
Starting to get hard to follow. Usually one would start tracing the
steps at the HTTP authorize route. Vaguely sorted alphabetically by
path and point in the flow. (/register comes before /authorize tho)
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 22:58:47 +0100] rev 5248
mod_http_oauth2: Fix validation of informative URIs
Iterating over wrong table
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 22:46:27 +0100] rev 5247
mod_http_oauth2: Use more compact IDs
UUIDs are nice but so verbose!
The reduction in entropy for the nonce should be fine since the
timestamp is also counts towards this, and it changes every second
(modulo clock shenanigans), so the chances of someone managing to get
the same client_secret by registering with the same information at the
same time as another entity should be negligible.