mod_http_oauth2: Use <fieldset> in templates because it looks nice Removes some CSS as well

mod_rest: Update prosody_oauth.py example to non-legacy OAuth2 Relies on recent mod_http_oauth2 updates

mod_http_oauth2: Remove another reference to obsolete function

mod_http_oauth2: Relax payload content type checking in revocation The code expected Content-Type: application/x-www-form-urlencoded HTTPie sent Content-Type: application/x-www-form-urlencoded; charset=utf-8 It did not work

mod_http_oauth2: Remove now unused code Was apparently only used in revocation which now uses get_request_credentials() directly

mod_http_oauth2: Allow revoking a token without OAuth client credentials If you have a valid token, and you're not supposed to have it, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should also be allowed to revoke it.

mod_http_oauth2: Correctly verify OAuth client credentials on revocation Makes no sense to validate against username and password here, or using a token to revoke another token, or itself? In fact, upon further discussion, why do you need credentials to revoke a token? If you are not supposed to have the token, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should be allowed to revoke it.

mod_http_oauth2: Group metadata section into OAuth and OpenID Could easily be confusing otherwise if you're reading one spec and see properties not defined there.

mod_http_oauth2: Rename oauth client credential related functions To make it more explicit what "secret" these deal with.

mod_sasl2: Pull user-agent info into sasl_handler for later reference It may be of interest to post-auth things. Putting it on the session was another option considered, but that seemed unnecessary overhead for something that might be rarely used. sasl_handler is cleared after successful authentication.

mod_adhoc_oauth2_client: Update to call into mod_http_oauth2

mod_http_oauth2: Refactor to allow reuse of OAuth client creation

mod_http_oauth2: Fix userinfo status code off-by-one

mod_http_oauth2: Implement and return ID Token in authorization code flow Is this OIDC?

mod_http_oauth2: Reject non-local hosts in more code paths We're not issuing tokens for users on remote hosts, we can't even authenticate them since they're remote. Thus the host is always the local module.host so no need to pass around the host in most cases or use it for anything but enforcing the same host.

mod_http_oauth2: Add support for the "openid" scope This "openid" scope is there to signal access to the userinfo endpoint, which is needed for OIDC support. We don't actually check this later because the userinfo endpoint only returns info embedded in the token itself, but in the future we may want to check this more carefully.

mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes This is to prepare to handle scopes like "openid" that don't map to roles.

mod_adhoc_oauth2_client: Make note in README about current broken state It could plausibly be made to work again using the stateless method internally.

mod_http_oauth2: Fix attempt to index a boolean value _This_ function signature strikes again It returns true, payload, but only passed the boolean on in place of the client, tripping up client_subset()

mod_audit: Allow disabling IP logging, or limiting it to a prefix

mod_audit: Include client id in audit log entries (if known)

mod_sasl2: Fire authentication-{success,failure} events like mod_saslauth

mod_http_oauth2: Record details of OAuth client a token is issued to To enable use cases such as revoking all tokens issued to a particular OAuth client in case of security issues, or for informative purposes such as when listing tokens for users.

mod_http_oauth2: Invoke mod_http_errors to render error on invalid redirect Turns out returning a table like that produces a blank page. Kinda boring and not very helpful.

mod_http_oauth2: Validate all URIs against client_uri in client registration Validating against all redirect URIs didn't work for OOB-only clients, which happens to be what I was testing with.

mod_http_oauth2: Organize HTTP routes with comments Starting to get hard to follow. Usually one would start tracing the steps at the HTTP authorize route. Vaguely sorted alphabetically by path and point in the flow. (/register comes before /authorize tho)

mod_http_oauth2: Fix validation of informative URIs Iterating over wrong table

mod_http_oauth2: Use more compact IDs UUIDs are nice but so verbose! The reduction in entropy for the nonce should be fine since the timestamp is also counts towards this, and it changes every second (modulo clock shenanigans), so the chances of someone managing to get the same client_secret by registering with the same information at the same time as another entity should be negligible.

mod_http_oauth2: Validate that informative URLs match the redirect URIs It is a bit shady to have the various URIs (URLs really) point to different hostnames. This may be quite stricter than required, but can always be relaxed later.

mod_http_oauth2: Reject insecure redirect URIs Is this enough, or are they going to be using ftp:// and gopher://?

mod_http_oauth2: Validate that redirect URIs are absolute

mod_http_oauth2: Validate basic URI syntax of redirect URIs

mod_spam_report_forwarder: Forward spam/abuse reports to one or more JIDs

mod_http_oauth2: Require URL to client informational page in registration Since it's used without fallback in the template, seems someone expected this to always be there, and we might as well.

mod_http_oauth2: Reorder client metadata validation schema Having 'type' first seems right

mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID

mod_firewall: README: Clarify docs about some of the stanza processing actions

mod_firewall: Warn about invalid pubsubitemid list specification

mod_firewall: Fix parsing of pubsubitemid list specification

mod_http_oauth2: Fix to disable disabled response handlers correctly Wrong table

mod_http_oauth2: Log flows enabled and disabled If a developer ever wants to be sure what the state is

mod_http_oauth2: Fix appending of query parts in error redirects Looks like this meant to check whether the redirect_uri has a ?query part, but forgot to inspect the field for this in the returned table.

mod_http_oauth2: Implement the OpenID userinfo endpoint Needed for OIDC

mod_http_oauth2: Close site header tags

mod_http_oauth2: Fix contrast of links on consent page The default dark blue wasn't very visible on a dark background

mod_http_oauth2: token endpoint: handle missing credentials

mod_http_oauth2: Fail early when no authorization header present Fixes traceback.

mod_http_oauth2: Support HTTP Basic auth on token endpoint This is described in RFC 6749 section 2.3.1 and draft-ietf-oauth-v2-1-07 2.3.1 as the recommended way to transmit the client's credentials. The older spec even calls it the "client password", but the new spec clarifies that this is just another term for the client secret.

mod_http_oauth2: Separate extracting credentials from requests and verifying The token endpoint also uses Basic auth, but the password would be the client_secret, so we need to verify against that instead of using test_password(). Splitting this up here avoids code duplication. Possibly this new function could go into util.http...

mod_http_oauth2: Reflect ALL attributes of the client registration Per RFC 7591: " Additionally, the authorization server MUST return all registered metadata about this client, including any fields provisioned by the authorization server itself. " The idea is that the server may replace/drop fields in the registration, so what gets reflected back to the client is the source of truth about the registration.

mod_rest: Point URLs to mod_http_oauth2 in demo mode

mod_http_oauth2: Improve handling of redirect_uri matching and fallback Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it registered multiple. If it only registered a single URI, it may be omitted from the authorize request.

mod_http_oauth2: Correct field name for HTTP response status code 'code' is used in the incoming side of the Prosody HTTP stack while 'status_code' is used on the response side. Not confusing at all. The default is 200 so this mistake had no real effect.

mod_http_oauth2: Fix incorrect function name (thanks Zash/luacheck)

mod_cloud_notify: Add note about Lua version requirements to README

mod_cloud_notify: Log warning when used on Lua 5.1

mod_http_oauth2: Remove authorization codes after use RFC 6749 section 4.1.2 says: > The client MUST NOT use the authorization code more than once. Thus we clear it from the cache after use.

mod_http_oauth2: Fix authorization code logic I have no idea what it did before or if it even worked. RFC 6749 section 4.1.2 says: > A maximum authorization code lifetime of 10 minutes is RECOMMENDED. So this should prevent use of codes older than 10 minutes and remove them from the cache some time after they expire.

mod_http_oauth2: Include html templates in package for plugin installer luarocks needs this extra metadata

mod_conversejs: This one weird trick updates options on reload Options queried from the config in get_converse_options() would take effect immediately after Prosody reloads the config. Including 'conversejs_options' in this behaviour by simply moving a line seems worth it.