Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 19:03:32 +0200] rev 5558
mod_http_oauth2: Make allowed locales configurable
Explicit > Implicit
Instead of allowing anything after #, allow only the explicitly
configured locales to be used.
Default to empty list because using these is not supported yet.
This potentially limits the size of the client_id, which is already
quite large. Nothing prevents clients from registering a whole
client_id per locale, which would not require translation support on
this side.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 18:15:00 +0200] rev 5557
mod_http_oauth2: Improve error messages for URI properties
Since there are separate validation checks for URI properties, including
that they should use https, with better and more specific error reporting.
Reverts 'luaPattern' to 'pattern' which is not currently supported by
util.jsonschema, but allows anything that retrieves the schema over http
to validate against it, should they wish to do so.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:28:13 +0200] rev 5556
mod_rest: Describe the error 'by' property in OpenAPI spec
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:26:33 +0200] rev 5555
mod_rest: List all error conditions in OpenAPI spec
These are not handled by datamanager but by util.stanza and util.error,
so they are not represented in the JSON schema file.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:10:46 +0200] rev 5554
mod_http_oauth2: Make note about handling repeated
RFC 6749 states
> If an authorization code is used more than once, the authorization
> server MUST deny the request and SHOULD revoke (when possible) all
> tokens previously issued based on that authorization code.
We should follow the SHOULD.
The MUST is already covered by removing the code state from the cache.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:06:53 +0200] rev 5553
mod_http_oauth2: Add TODO about disabling password grant
Per recommendation in draft-ietf-oauth-security-topics-23 it should at
the very least be disabled by default.
However since this is used by the Snikket web portal some care needs to
be taken not to break this, unless it's already broken by other changes
to this module.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:05:57 +0200] rev 5552
mod_http_oauth2: Disable CORS for authorization endpoint
Per recommendation in draft-ietf-oauth-security-topics-23
Hopefully it is enough to return an error status, since mod_http will
add CORS headers from a handler with higher priority, even for OPTIONS.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:06:28 +0200] rev 5551
mod_http_oauth2: Make CSP configurable
E.g. to enable forbidding all scripts if you don't use any scripts, or
allow scripts from your separate static content domain, etc.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:03:27 +0200] rev 5550
mod_http_oauth2: Link to RFC 7628 in README
Links are good.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:02:47 +0200] rev 5549
mod_http_oauth2: Use code spans for some config options in README
To make them more recognisable as code things.