mod_http_oauth2/README: Expand summary to include OAuth 2.0 role This module implements the Authorization Server parts of OAuth 2.0, so having the summary say that seems sensible.

mod_http_oauth2: Return Authentication Time per OpenID Core Section 2 Mandatory To Implement, either MUST include or OPTIONAL depending on things we don't look at, so might as well include it all the time. Since we do not persist authentication state with cookies or such, the authentication time will always be some point between the user being sent to the authorization endpoint and the time they are sent back to the client application.

mod_http_oauth2: Validate the OpenID 'prompt' parameter Without support for affecting the login and consent procedure, it seems sensible to inform the client that they can't change anything with this parameter.

mod_http_oauth2: Apply text color to OOB input field Was using the browser default color

mod_client_management: Include client software version number in listing Should you ever wish to revoke a client by version number, e.g. for security reasons affecting certain versions, then it would be good to at the very least see which version is used. Also includes the OAuth2 software ID, an optional unique identifier that should be the same for all installations of a particular software.

mod_http_oauth2: Present OOB code in an input field for easier selection Should also avoid stray whitespace making it into the selection.

mod_http_oauth2: Revert strict form check to allow consent of multiple scopes Untested commit breaks everything, news at 11

mod_http_oauth2: Reject duplicate form-urlencoded parameters Per RFC 6749 section 3.1 > Request and response parameters MUST NOT be included more than once. Thanks to OAuch for pointing out Also cleans up some of the icky behavior of formdecode(), like returning a string if no '=' is included.

mod_http_oauth2: Bind refresh tokens to client Prevent one OAuth client from using the refresh tokens issued to another client as required by RFC 6819 section 5.2.2.2 See also draft-ietf-oauth-security-topics-22 section 2.2.2 Thanks to OAuch for pointing out this issue

mod_http_oauth2: Record hash of client_id to allow future verification RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the client. In order to do that, we must record something that can definitely tie the client to the grant. Since the full client_id is so large (why we have this client_subset function), a hash is stored instead.

mod_http_oauth2: Add client verification wrapper function Fixes the weird ok, data return format from util.jit, but the real reason is to add some preparation steps here.

mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 These are mostly for the various Client-facing endpoints, so the chance of browsers being involved is slightly lower than with the User-facing authorization endpoint, which already sent the Cache-Control header. Thanks to OAuch for pointing out.

mod_http_oauth2: Linkify mod_client_management in README

mod_http_oauth2: Fix messed up section about redirect_uris requirements

mod_http_oauth2: Restructure description of client metadata requirements Previously quite a compact block of text, maybe this is easier to read.

mod_http_oauth2: Correct loopback URL example The s in the scheme should not be there, only unencrypted http to loopback interface is allowed.

mod_groups_oidc: Expose groups to OAuth clients

mod_oidc_userinfo_vcard4: Advertise OpenID scopes via new mechanism

mod_http_oauth2: Add provisions for dynamically adding simple scopes This lets additional modules define what scopes they might add to the userinfo endpoint, or other things.

mod_http_oauth2: Sort imports Piped through `sort -k5` thus sorting by module name. Sort order makes it easy to know where to insert new imports.

mod_http_oauth2: Fix closing h1 tag

mod_auth_oauth_external: Correct docs about default scope Yet another failure of auto-complete?

misc/lnav: Add a README with installation instructions

misc/lnav: Fix delimiting of timestamp in pattern The string with the timestamp format in core.loggingmanager does end with a space, so having the exact same string here is nice, but the pattern did not reflect this.

misc/lnav: Fix timestamp-format to be an array as per schema

mod_http_oauth2: Create proper template for OOB code delivery This also improves security by reusing the security and cache headers, where mod_http_errors/http-message doesn't add such headers. Colors selected by taking rotating the error colors, rrggbb -> ggbbrr

mod_http_oauth2: Add an example of client registration

mod_http_oauth2: Document client registration requirements Because they go a bit further than the basics in the RFC

mod_http_debug: Handle any path under /debug/* as well Sometimes things encode useful info in paths. Could also help if you add path components in a reverse proxy.

mod_http_debug: Log some extended info about requests If you point something external at this module, you don't get the response body back, hence it can be useful to see some details in the log as well.