Kim Alvefur <zash@zash.se> [Fri, 10 Mar 2023 12:03:23 +0100] rev 5235
mod_http_oauth2: Fix to disable disabled response handlers correctly
Wrong table
Kim Alvefur <zash@zash.se> [Fri, 10 Mar 2023 12:01:52 +0100] rev 5234
mod_http_oauth2: Log flows enabled and disabled
If a developer ever wants to be sure what the state is
Kim Alvefur <zash@zash.se> [Fri, 10 Mar 2023 11:54:30 +0100] rev 5233
mod_http_oauth2: Fix appending of query parts in error redirects
Looks like this meant to check whether the redirect_uri has a ?query
part, but forgot to inspect the field for this in the returned table.
Kim Alvefur <zash@zash.se> [Thu, 09 Mar 2023 14:46:06 +0100] rev 5232
mod_http_oauth2: Implement the OpenID userinfo endpoint
Needed for OIDC
Kim Alvefur <zash@zash.se> [Thu, 09 Mar 2023 13:15:13 +0100] rev 5231
mod_http_oauth2: Close site header tags
Kim Alvefur <zash@zash.se> [Tue, 07 Mar 2023 23:55:33 +0100] rev 5230
mod_http_oauth2: Fix contrast of links on consent page
The default dark blue wasn't very visible on a dark background
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 15:33:07 +0000] rev 5229
mod_http_oauth2: token endpoint: handle missing credentials
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 15:31:19 +0000] rev 5228
mod_http_oauth2: Fail early when no authorization header present
Fixes traceback.
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 15:27:50 +0000] rev 5227
mod_http_oauth2: Support HTTP Basic auth on token endpoint
This is described in RFC 6749 section 2.3.1 and draft-ietf-oauth-v2-1-07 2.3.1
as the recommended way to transmit the client's credentials.
The older spec even calls it the "client password", but the new spec clarifies
that this is just another term for the client secret.
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 15:18:41 +0000] rev 5226
mod_http_oauth2: Separate extracting credentials from requests and verifying
The token endpoint also uses Basic auth, but the password would be the
client_secret, so we need to verify against that instead of using
test_password(). Splitting this up here avoids code duplication.
Possibly this new function could go into util.http...