Kim Alvefur <zash@zash.se> [Thu, 23 Mar 2023 16:19:09 +0100] rev 5274
mod_http_oauth2: Use <fieldset> in templates because it looks nice
Removes some CSS as well
Kim Alvefur <zash@zash.se> [Thu, 23 Mar 2023 12:47:51 +0100] rev 5273
mod_rest: Update prosody_oauth.py example to non-legacy OAuth2
Relies on recent mod_http_oauth2 updates
Kim Alvefur <zash@zash.se> [Wed, 22 Mar 2023 00:09:58 +0100] rev 5272
mod_http_oauth2: Remove another reference to obsolete function
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 22:29:47 +0100] rev 5271
mod_http_oauth2: Relax payload content type checking in revocation
The code expected
Content-Type: application/x-www-form-urlencoded
HTTPie sent
Content-Type: application/x-www-form-urlencoded; charset=utf-8
It did not work
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 22:23:28 +0100] rev 5270
mod_http_oauth2: Remove now unused code
Was apparently only used in revocation which now uses
get_request_credentials() directly
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 22:02:38 +0100] rev 5269
mod_http_oauth2: Allow revoking a token without OAuth client credentials
If you have a valid token, and you're not supposed to have it, revoking
it seems the most responsible thing to do with it, so it should be
allowed, while if you are supposed to have it, you should also be
allowed to revoke it.
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 21:57:18 +0100] rev 5268
mod_http_oauth2: Correctly verify OAuth client credentials on revocation
Makes no sense to validate against username and password here, or using
a token to revoke another token, or itself?
In fact, upon further discussion, why do you need credentials to revoke
a token? If you are not supposed to have the token, revoking it seems
the most responsible thing to do with it, so it should be allowed, while
if you are supposed to have it, you should be allowed to revoke it.
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 21:45:02 +0100] rev 5267
mod_http_oauth2: Group metadata section into OAuth and OpenID
Could easily be confusing otherwise if you're reading one spec and see
properties not defined there.
Kim Alvefur <zash@zash.se> [Tue, 21 Mar 2023 21:36:54 +0100] rev 5266
mod_http_oauth2: Rename oauth client credential related functions
To make it more explicit what "secret" these deal with.
Matthew Wild <mwild1@gmail.com> [Tue, 21 Mar 2023 15:26:03 +0000] rev 5265
mod_sasl2: Pull user-agent info into sasl_handler for later reference
It may be of interest to post-auth things. Putting it on the session was
another option considered, but that seemed unnecessary overhead for something
that might be rarely used. sasl_handler is cleared after successful
authentication.
Kim Alvefur <zash@zash.se> [Sun, 19 Mar 2023 22:21:41 +0100] rev 5264
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se> [Sun, 19 Mar 2023 22:13:27 +0100] rev 5263
mod_http_oauth2: Refactor to allow reuse of OAuth client creation
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 19:59:32 +0100] rev 5262
mod_http_oauth2: Fix userinfo status code off-by-one
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 19:28:44 +0100] rev 5261
mod_http_oauth2: Implement and return ID Token in authorization code flow
Is this OIDC?
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 17:52:10 +0100] rev 5260
mod_http_oauth2: Reject non-local hosts in more code paths
We're not issuing tokens for users on remote hosts, we can't even
authenticate them since they're remote. Thus the host is always the
local module.host so no need to pass around the host in most cases or
use it for anything but enforcing the same host.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 17:06:35 +0100] rev 5259
mod_http_oauth2: Add support for the "openid" scope
This "openid" scope is there to signal access to the userinfo endpoint,
which is needed for OIDC support.
We don't actually check this later because the userinfo endpoint only
returns info embedded in the token itself, but in the future we may want
to check this more carefully.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 17:03:48 +0100] rev 5258
mod_http_oauth2: Prepare to handle multiple e.g. non-role scopes
This is to prepare to handle scopes like "openid" that don't map to
roles.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 14:27:46 +0100] rev 5257
mod_adhoc_oauth2_client: Make note in README about current broken state
It could plausibly be made to work again using the stateless method
internally.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 00:06:43 +0100] rev 5256
mod_http_oauth2: Fix attempt to index a boolean value
_This_ function signature strikes again
It returns true, payload, but only passed the boolean on in place of the
client, tripping up client_subset()
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 18:59:39 +0000] rev 5255
mod_audit: Allow disabling IP logging, or limiting it to a prefix
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 17:48:44 +0000] rev 5254
mod_audit: Include client id in audit log entries (if known)
Matthew Wild <mwild1@gmail.com> [Tue, 14 Mar 2023 17:13:46 +0000] rev 5253
mod_sasl2: Fire authentication-{success,failure} events like mod_saslauth
Kim Alvefur <zash@zash.se> [Tue, 14 Mar 2023 18:08:25 +0100] rev 5252
mod_http_oauth2: Record details of OAuth client a token is issued to
To enable use cases such as revoking all tokens issued to a particular
OAuth client in case of security issues, or for informative purposes
such as when listing tokens for users.
Kim Alvefur <zash@zash.se> [Sun, 12 Mar 2023 17:56:23 +0100] rev 5251
mod_http_oauth2: Invoke mod_http_errors to render error on invalid redirect
Turns out returning a table like that produces a blank page. Kinda
boring and not very helpful.
Kim Alvefur <zash@zash.se> [Sun, 12 Mar 2023 12:06:44 +0100] rev 5250
mod_http_oauth2: Validate all URIs against client_uri in client registration
Validating against all redirect URIs didn't work for OOB-only clients,
which happens to be what I was testing with.
Kim Alvefur <zash@zash.se> [Sun, 12 Mar 2023 11:27:29 +0100] rev 5249
mod_http_oauth2: Organize HTTP routes with comments
Starting to get hard to follow. Usually one would start tracing the
steps at the HTTP authorize route. Vaguely sorted alphabetically by
path and point in the flow. (/register comes before /authorize tho)
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 22:58:47 +0100] rev 5248
mod_http_oauth2: Fix validation of informative URIs
Iterating over wrong table
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 22:46:27 +0100] rev 5247
mod_http_oauth2: Use more compact IDs
UUIDs are nice but so verbose!
The reduction in entropy for the nonce should be fine since the
timestamp is also counts towards this, and it changes every second
(modulo clock shenanigans), so the chances of someone managing to get
the same client_secret by registering with the same information at the
same time as another entity should be negligible.
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 22:31:02 +0100] rev 5246
mod_http_oauth2: Validate that informative URLs match the redirect URIs
It is a bit shady to have the various URIs (URLs really) point to
different hostnames.
This may be quite stricter than required, but can always be relaxed
later.
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 22:25:50 +0100] rev 5245
mod_http_oauth2: Reject insecure redirect URIs
Is this enough, or are they going to be using ftp:// and gopher://?
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 22:25:22 +0100] rev 5244
mod_http_oauth2: Validate that redirect URIs are absolute
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 22:30:58 +0100] rev 5243
mod_http_oauth2: Validate basic URI syntax of redirect URIs
Matthew Wild <mwild1@gmail.com> [Sat, 11 Mar 2023 20:20:37 +0000] rev 5242
mod_spam_report_forwarder: Forward spam/abuse reports to one or more JIDs
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 21:13:00 +0100] rev 5241
mod_http_oauth2: Require URL to client informational page in registration
Since it's used without fallback in the template, seems someone expected
this to always be there, and we might as well.
Kim Alvefur <zash@zash.se> [Sat, 11 Mar 2023 21:11:50 +0100] rev 5240
mod_http_oauth2: Reorder client metadata validation schema
Having 'type' first seems right
Matthew Wild <mwild1@gmail.com> [Sat, 11 Mar 2023 18:41:49 +0000] rev 5239
mod_firewall: Add 'REPORT TO' to report (XEP-0377) a stanza to a specified JID
Matthew Wild <mwild1@gmail.com> [Sat, 11 Mar 2023 18:29:38 +0000] rev 5238
mod_firewall: README: Clarify docs about some of the stanza processing actions
Matthew Wild <mwild1@gmail.com> [Sat, 11 Mar 2023 16:40:24 +0000] rev 5237
mod_firewall: Warn about invalid pubsubitemid list specification
Matthew Wild <mwild1@gmail.com> [Sat, 11 Mar 2023 16:40:09 +0000] rev 5236
mod_firewall: Fix parsing of pubsubitemid list specification
Kim Alvefur <zash@zash.se> [Fri, 10 Mar 2023 12:03:23 +0100] rev 5235
mod_http_oauth2: Fix to disable disabled response handlers correctly
Wrong table
Kim Alvefur <zash@zash.se> [Fri, 10 Mar 2023 12:01:52 +0100] rev 5234
mod_http_oauth2: Log flows enabled and disabled
If a developer ever wants to be sure what the state is
Kim Alvefur <zash@zash.se> [Fri, 10 Mar 2023 11:54:30 +0100] rev 5233
mod_http_oauth2: Fix appending of query parts in error redirects
Looks like this meant to check whether the redirect_uri has a ?query
part, but forgot to inspect the field for this in the returned table.
Kim Alvefur <zash@zash.se> [Thu, 09 Mar 2023 14:46:06 +0100] rev 5232
mod_http_oauth2: Implement the OpenID userinfo endpoint
Needed for OIDC
Kim Alvefur <zash@zash.se> [Thu, 09 Mar 2023 13:15:13 +0100] rev 5231
mod_http_oauth2: Close site header tags
Kim Alvefur <zash@zash.se> [Tue, 07 Mar 2023 23:55:33 +0100] rev 5230
mod_http_oauth2: Fix contrast of links on consent page
The default dark blue wasn't very visible on a dark background
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 15:33:07 +0000] rev 5229
mod_http_oauth2: token endpoint: handle missing credentials
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 15:31:19 +0000] rev 5228
mod_http_oauth2: Fail early when no authorization header present
Fixes traceback.
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 15:27:50 +0000] rev 5227
mod_http_oauth2: Support HTTP Basic auth on token endpoint
This is described in RFC 6749 section 2.3.1 and draft-ietf-oauth-v2-1-07 2.3.1
as the recommended way to transmit the client's credentials.
The older spec even calls it the "client password", but the new spec clarifies
that this is just another term for the client secret.
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 15:18:41 +0000] rev 5226
mod_http_oauth2: Separate extracting credentials from requests and verifying
The token endpoint also uses Basic auth, but the password would be the
client_secret, so we need to verify against that instead of using
test_password(). Splitting this up here avoids code duplication.
Possibly this new function could go into util.http...
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 14:52:43 +0000] rev 5225
mod_http_oauth2: Reflect ALL attributes of the client registration
Per RFC 7591:
"
Additionally, the authorization server MUST return all registered
metadata about this client, including any fields provisioned by the
authorization server itself.
"
The idea is that the server may replace/drop fields in the registration, so
what gets reflected back to the client is the source of truth about the
registration.
Kim Alvefur <zash@zash.se> [Tue, 07 Mar 2023 14:59:45 +0100] rev 5224
mod_rest: Point URLs to mod_http_oauth2 in demo mode
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 13:19:19 +0000] rev 5223
mod_http_oauth2: Improve handling of redirect_uri matching and fallback
Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it
registered multiple. If it only registered a single URI, it may be omitted
from the authorize request.
Kim Alvefur <zash@zash.se> [Tue, 07 Mar 2023 13:14:25 +0100] rev 5222
mod_http_oauth2: Correct field name for HTTP response status code
'code' is used in the incoming side of the Prosody HTTP stack while
'status_code' is used on the response side. Not confusing at all.
The default is 200 so this mistake had no real effect.
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 10:27:40 +0000] rev 5221
mod_http_oauth2: Fix incorrect function name (thanks Zash/luacheck)
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 10:26:57 +0000] rev 5220
mod_cloud_notify: Add note about Lua version requirements to README
Matthew Wild <mwild1@gmail.com> [Tue, 07 Mar 2023 10:24:58 +0000] rev 5219
mod_cloud_notify: Log warning when used on Lua 5.1
Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 16:53:27 +0100] rev 5218
mod_http_oauth2: Remove authorization codes after use
RFC 6749 section 4.1.2 says:
> The client MUST NOT use the authorization code more than once.
Thus we clear it from the cache after use.
Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 16:49:43 +0100] rev 5217
mod_http_oauth2: Fix authorization code logic
I have no idea what it did before or if it even worked.
RFC 6749 section 4.1.2 says:
> A maximum authorization code lifetime of 10 minutes is RECOMMENDED.
So this should prevent use of codes older than 10 minutes and remove
them from the cache some time after they expire.
Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 15:55:11 +0100] rev 5216
mod_http_oauth2: Include html templates in package for plugin installer
luarocks needs this extra metadata
Kim Alvefur <zash@zash.se> [Thu, 23 Feb 2023 00:30:59 +0100] rev 5215
mod_conversejs: This one weird trick updates options on reload
Options queried from the config in get_converse_options() would take
effect immediately after Prosody reloads the config. Including
'conversejs_options' in this behaviour by simply moving a line seems
worth it.