Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 15:59:34 +0200] rev 5532
mod_rest: Merge some common properties between openapi and schema
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 15:52:02 +0200] rev 5531
mod_rest: Apply normalization to openapi spec
Using https://github.com/mikefarah/yq v4.34.1 --prettyPrint
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:54:52 +0200] rev 5530
mod_http_oauth2: Simplify template using if-falsy operator
Relies on Prosody rev af1e3b7d9ea3 which added the {var~if-falsy},
released in 0.12. Since this module requires trunk this is fine.
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:31:52 +0200] rev 5529
mod_http_dir_listing2: Fix wrong name for resource directory
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:27:13 +0200] rev 5528
mod_http_dir_listing2: Include html resources with plugin installer
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:26:27 +0200] rev 5527
mod_http_dir_listing: Strip path to using plugin installer
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:23:31 +0200] rev 5526
mod_firewall: Include scripts with plugin installer (thanks gooya)
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 01:51:23 +0200] rev 5525
mod_http_oauth2: Add some words about supported flows and defaults
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 01:43:35 +0200] rev 5524
mod_http_oauth2/README: Expand summary to include OAuth 2.0 role
This module implements the Authorization Server parts of OAuth 2.0, so
having the summary say that seems sensible.
Kim Alvefur <zash@zash.se> [Mon, 05 Jun 2023 22:32:44 +0200] rev 5523
mod_http_oauth2: Return Authentication Time per OpenID Core Section 2
Mandatory To Implement, either MUST include or OPTIONAL depending on
things we don't look at, so might as well include it all the time.
Since we do not persist authentication state with cookies or such, the
authentication time will always be some point between the user being
sent to the authorization endpoint and the time they are sent back to
the client application.
Kim Alvefur <zash@zash.se> [Mon, 05 Jun 2023 22:19:17 +0200] rev 5522
mod_http_oauth2: Validate the OpenID 'prompt' parameter
Without support for affecting the login and consent procedure, it seems
sensible to inform the client that they can't change anything with this
parameter.
Kim Alvefur <zash@zash.se> [Sat, 03 Jun 2023 20:04:40 +0200] rev 5521
mod_http_oauth2: Apply text color to OOB input field
Was using the browser default color
Kim Alvefur <zash@zash.se> [Sat, 03 Jun 2023 19:21:39 +0200] rev 5520
mod_client_management: Include client software version number in listing
Should you ever wish to revoke a client by version number, e.g. for
security reasons affecting certain versions, then it would be good to at
the very least see which version is used.
Also includes the OAuth2 software ID, an optional unique identifier that
should be the same for all installations of a particular software.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:28:04 +0200] rev 5519
mod_http_oauth2: Present OOB code in an input field for easier selection
Should also avoid stray whitespace making it into the selection.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:20:08 +0200] rev 5518
mod_http_oauth2: Revert strict form check to allow consent of multiple scopes
Untested commit breaks everything, news at 11
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:03:57 +0200] rev 5517
mod_http_oauth2: Reject duplicate form-urlencoded parameters
Per RFC 6749 section 3.1
> Request and response parameters MUST NOT be included more than once.
Thanks to OAuch for pointing out
Also cleans up some of the icky behavior of formdecode(), like returning
a string if no '=' is included.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:40:48 +0200] rev 5516
mod_http_oauth2: Bind refresh tokens to client
Prevent one OAuth client from using the refresh tokens issued to another
client as required by RFC 6819 section 5.2.2.2
See also draft-ietf-oauth-security-topics-22 section 2.2.2
Thanks to OAuch for pointing out this issue
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:14:16 +0200] rev 5515
mod_http_oauth2: Record hash of client_id to allow future verification
RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the
client. In order to do that, we must record something that can
definitely tie the client to the grant. Since the full client_id is so
large (why we have this client_subset function), a hash is stored
instead.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:12:46 +0200] rev 5514
mod_http_oauth2: Add client verification wrapper function
Fixes the weird ok, data return format from util.jit, but the real
reason is to add some preparation steps here.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 08:59:59 +0200] rev 5513
mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749
These are mostly for the various Client-facing endpoints, so the chance
of browsers being involved is slightly lower than with the User-facing
authorization endpoint, which already sent the Cache-Control header.
Thanks to OAuch for pointing out.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 08:59:29 +0200] rev 5512
mod_http_oauth2: Linkify mod_client_management in README
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 20:02:45 +0200] rev 5511
mod_http_oauth2: Fix messed up section about redirect_uris requirements
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 19:55:36 +0200] rev 5510
mod_http_oauth2: Restructure description of client metadata requirements
Previously quite a compact block of text, maybe this is easier to read.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 19:37:17 +0200] rev 5509
mod_http_oauth2: Correct loopback URL example
The s in the scheme should not be there, only unencrypted http to
loopback interface is allowed.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:32:59 +0200] rev 5508
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:16:18 +0200] rev 5507
mod_oidc_userinfo_vcard4: Advertise OpenID scopes via new mechanism
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:16:13 +0200] rev 5506
mod_http_oauth2: Add provisions for dynamically adding simple scopes
This lets additional modules define what scopes they might add to the
userinfo endpoint, or other things.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 16:37:03 +0200] rev 5505
mod_http_oauth2: Sort imports
Piped through `sort -k5` thus sorting by module name. Sort order makes
it easy to know where to insert new imports.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 02:33:05 +0200] rev 5504
mod_http_oauth2: Fix closing h1 tag
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 22:37:51 +0200] rev 5503
mod_auth_oauth_external: Correct docs about default scope
Yet another failure of auto-complete?