Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:43:23 +0200] rev 5454
mod_http_oauth2: Scope FIXMEs
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:41:37 +0200] rev 5453
mod_http_oauth2: Describe type signatures of scope handling functions
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:40:09 +0200] rev 5452
mod_http_oauth2: Allow requesting a subset of scopes on token refresh
This enables clients to request access tokens with fewer permissions
than the grant they were given, reducing impact of token leak. Clients
could e.g. request access tokens with some privileges and immediately
revoke them after use, or other strategies.
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 19:33:44 +0200] rev 5451
mod_http_oauth2: Enforce client scope restrictions in authorization
When registering a client, a scope field can be included as a promise to
only ever use those. Here we enforce that promise, if given, ensuring a
client can't request or be granted a scope it didn't provide in its
registration. While currently there is no restrictions at registration
time, this could be changed in the future in various ways.
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 21:37:35 +0200] rev 5450
mod_http_oauth2: Fix inclusion of role in refreshed access tokens
`refresh_token_info` does not carry the role, and due to behavior prior
to prosody trunk rev a1ba503610ed it would have reverted to the users'
default role. After that it instead issues a token without role which is
thus not usable with e.g. mod_rest
Kim Alvefur <zash@zash.se> [Thu, 11 May 2023 15:10:44 +0200] rev 5449
mod_http_oauth2: Fix unintentional persistence
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 19:49:40 +0200] rev 5448
mod_auth_oauth_external: Update compatibility section with unknowns
The PLAIN bits may very well work, it just needs async support
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 19:33:37 +0200] rev 5447
mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER
For consistency.
The mangling should be made configurable in the future.
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 19:11:25 +0200] rev 5446
mod_auth_oauth_external: Stub not implemented auth module methods
Not providing some of these may trigger errors on use, which is
something that would be nice to fix on the Prosody side, one day.
Kim Alvefur <zash@zash.se> [Wed, 10 May 2023 18:32:47 +0200] rev 5445
mod_auth_oauth_external: Add Mastodon to README