Kim Alvefur <zash@zash.se> [Wed, 22 Mar 2023 00:09:58 +0100] rev 5272
mod_http_oauth2: Remove another reference to obsolete function
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 22:29:47 +0100] rev 5271
mod_http_oauth2: Relax payload content type checking in revocation
The code expected
Content-Type: application/x-www-form-urlencoded
HTTPie sent
Content-Type: application/x-www-form-urlencoded; charset=utf-8
It did not work
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 22:23:28 +0100] rev 5270
mod_http_oauth2: Remove now unused code
Was apparently only used in revocation which now uses
get_request_credentials() directly
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 22:02:38 +0100] rev 5269
mod_http_oauth2: Allow revoking a token without OAuth client credentials
If you have a valid token, and you're not supposed to have it, revoking
it seems the most responsible thing to do with it, so it should be
allowed, while if you are supposed to have it, you should also be
allowed to revoke it.
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 21:57:18 +0100] rev 5268
mod_http_oauth2: Correctly verify OAuth client credentials on revocation
Makes no sense to validate against username and password here, or using
a token to revoke another token, or itself?
In fact, upon further discussion, why do you need credentials to revoke
a token? If you are not supposed to have the token, revoking it seems
the most responsible thing to do with it, so it should be allowed, while
if you are supposed to have it, you should be allowed to revoke it.
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 21:45:02 +0100] rev 5267
mod_http_oauth2: Group metadata section into OAuth and OpenID
Could easily be confusing otherwise if you're reading one spec and see
properties not defined there.
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 21:36:54 +0100] rev 5266
mod_http_oauth2: Rename oauth client credential related functions
To make it more explicit what "secret" these deal with.
Matthew Wild <mwild1@gmail.com> [Tue, 21 Mar 2023 15:26:03 +0000] rev 5265
mod_sasl2: Pull user-agent info into sasl_handler for later reference
It may be of interest to post-auth things. Putting it on the session was
another option considered, but that seemed unnecessary overhead for something
that might be rarely used. sasl_handler is cleared after successful
authentication.
Kim Alvefur <zash@zash.se> [Sun, 19 Mar 2023 22:21:41 +0100] rev 5264
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se> [Sun, 19 Mar 2023 22:13:27 +0100] rev 5263
mod_http_oauth2: Refactor to allow reuse of OAuth client creation