Kim Alvefur <zash@zash.se> [Sat, 03 Jun 2023 20:04:40 +0200] rev 5521
mod_http_oauth2: Apply text color to OOB input field
Was using the browser default color
Kim Alvefur <zash@zash.se> [Sat, 03 Jun 2023 19:21:39 +0200] rev 5520
mod_client_management: Include client software version number in listing
Should you ever wish to revoke a client by version number, e.g. for
security reasons affecting certain versions, then it would be good to at
the very least see which version is used.
Also includes the OAuth2 software ID, an optional unique identifier that
should be the same for all installations of a particular software.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:28:04 +0200] rev 5519
mod_http_oauth2: Present OOB code in an input field for easier selection
Should also avoid stray whitespace making it into the selection.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:20:08 +0200] rev 5518
mod_http_oauth2: Revert strict form check to allow consent of multiple scopes
Untested commit breaks everything, news at 11
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:03:57 +0200] rev 5517
mod_http_oauth2: Reject duplicate form-urlencoded parameters
Per RFC 6749 section 3.1
> Request and response parameters MUST NOT be included more than once.
Thanks to OAuch for pointing out
Also cleans up some of the icky behavior of formdecode(), like returning
a string if no '=' is included.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:40:48 +0200] rev 5516
mod_http_oauth2: Bind refresh tokens to client
Prevent one OAuth client from using the refresh tokens issued to another
client as required by RFC 6819 section 5.2.2.2
See also draft-ietf-oauth-security-topics-22 section 2.2.2
Thanks to OAuch for pointing out this issue
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:14:16 +0200] rev 5515
mod_http_oauth2: Record hash of client_id to allow future verification
RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the
client. In order to do that, we must record something that can
definitely tie the client to the grant. Since the full client_id is so
large (why we have this client_subset function), a hash is stored
instead.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:12:46 +0200] rev 5514
mod_http_oauth2: Add client verification wrapper function
Fixes the weird ok, data return format from util.jit, but the real
reason is to add some preparation steps here.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 08:59:59 +0200] rev 5513
mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749
These are mostly for the various Client-facing endpoints, so the chance
of browsers being involved is slightly lower than with the User-facing
authorization endpoint, which already sent the Cache-Control header.
Thanks to OAuch for pointing out.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 08:59:29 +0200] rev 5512
mod_http_oauth2: Linkify mod_client_management in README