Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:12:46 +0200] rev 5514
mod_http_oauth2: Add client verification wrapper function
Fixes the weird ok, data return format from util.jit, but the real
reason is to add some preparation steps here.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 08:59:59 +0200] rev 5513
mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749
These are mostly for the various Client-facing endpoints, so the chance
of browsers being involved is slightly lower than with the User-facing
authorization endpoint, which already sent the Cache-Control header.
Thanks to OAuch for pointing out.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 08:59:29 +0200] rev 5512
mod_http_oauth2: Linkify mod_client_management in README
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 20:02:45 +0200] rev 5511
mod_http_oauth2: Fix messed up section about redirect_uris requirements
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 19:55:36 +0200] rev 5510
mod_http_oauth2: Restructure description of client metadata requirements
Previously quite a compact block of text, maybe this is easier to read.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 19:37:17 +0200] rev 5509
mod_http_oauth2: Correct loopback URL example
The s in the scheme should not be there, only unencrypted http to
loopback interface is allowed.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:32:59 +0200] rev 5508
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:16:18 +0200] rev 5507
mod_oidc_userinfo_vcard4: Advertise OpenID scopes via new mechanism
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:16:13 +0200] rev 5506
mod_http_oauth2: Add provisions for dynamically adding simple scopes
This lets additional modules define what scopes they might add to the
userinfo endpoint, or other things.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 16:37:03 +0200] rev 5505
mod_http_oauth2: Sort imports
Piped through `sort -k5` thus sorting by module name. Sort order makes
it easy to know where to insert new imports.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 02:33:05 +0200] rev 5504
mod_http_oauth2: Fix closing h1 tag
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 22:37:51 +0200] rev 5503
mod_auth_oauth_external: Correct docs about default scope
Yet another failure of auto-complete?
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 19:31:45 +0200] rev 5502
misc/lnav: Add a README with installation instructions
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 18:04:30 +0200] rev 5501
misc/lnav: Fix delimiting of timestamp in pattern
The string with the timestamp format in core.loggingmanager does end
with a space, so having the exact same string here is nice, but the
pattern did not reflect this.
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 17:59:56 +0200] rev 5500
misc/lnav: Fix timestamp-format to be an array as per schema
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 03:44:04 +0200] rev 5499
mod_http_oauth2: Create proper template for OOB code delivery
This also improves security by reusing the security and cache headers,
where mod_http_errors/http-message doesn't add such headers.
Colors selected by taking rotating the error colors, rrggbb -> ggbbrr
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:49:39 +0200] rev 5498
mod_http_oauth2: Add an example of client registration
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:48:02 +0200] rev 5497
mod_http_oauth2: Document client registration requirements
Because they go a bit further than the basics in the RFC
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:38:38 +0200] rev 5496
mod_http_debug: Handle any path under /debug/* as well
Sometimes things encode useful info in paths. Could also help if you add
path components in a reverse proxy.
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:37:15 +0200] rev 5495
mod_http_debug: Log some extended info about requests
If you point something external at this module, you don't get the
response body back, hence it can be useful to see some details in the
log as well.
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:36:04 +0200] rev 5494
mod_http_debug: Handle more HTTP methods
Often you might want to see what POST data was sent, or such.
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:20:04 +0200] rev 5493
mod_http_debug: Add a brief README
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 14:32:59 +0200] rev 5492
mod_rest/example: Include 'application_type' in registration
It defaults to "web", which in turn mandates https: redirect URIs, which
would not work with this example using the OOB URI.
Kim Alvefur <zash@zash.se> [Wed, 24 May 2023 16:34:35 +0200] rev 5491
mod_s2sout_override: Add support for Direct TLS
Well that was easy
Kim Alvefur <zash@zash.se> [Wed, 24 May 2023 15:56:26 +0200] rev 5490
mod_s2sout_override: New module for overriding s2s connections
This takes advantage of the new event added in Prosody rev d5f322dd424b
which enables a cleaner way to override the connection using a resolver.
Matthew Wild <mwild1@gmail.com> [Tue, 23 May 2023 19:40:38 +0100] rev 5489
mod_pubsub_alertmanager: Support for per-path config overrides
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 21:11:13 +0200] rev 5488
mod_muc_moderation: Point to new Conversations issue tracker
Matthew Wild <mwild1@gmail.com> [Thu, 18 May 2023 18:15:50 +0200] rev 5487
mod_invites_adhoc: Fall back to generic allow_user_invites for role-less users
Fixes #1752
Backport of Prosody rev dc0c20753d6c
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 18:08:40 +0200] rev 5486
mod_invites{,_adhoc,_register}: Recommend using version included with prosody
Thanks gooya
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 17:56:10 +0200] rev 5485
mod_welcome_page: Remove dependency on mod_invites (included with Prosody)
Thanks gooya
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:51:48 +0200] rev 5484
mod_http_oauth2: Allow CORS for browser clients
Needed for web clients to reach i.e. the token endpoint.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:47:54 +0200] rev 5483
mod_http_oauth2: Disable Referrer via header
Prevents the various parameters from potentially ending up in logs, as
well as reduces the size of requests.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:25:11 +0200] rev 5482
mod_http_oauth2: Always render errors as HTML for OOB redirect URI
No invalid or insecure redirect URIs should make it to this point, so
the warning can be removed.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:17:58 +0200] rev 5481
mod_http_oauth2: Use validated redirect URI when returning errors to client
Parsing it from the query again without the validation done by
get_redirect_uri() may lead to open redirect issues.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:07:37 +0200] rev 5480
mod_http_oauth2: Return OAuth error for authz code store error
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:02:09 +0200] rev 5479
mod_http_oauth2: Validate redirect_uri before using it for error redirects
To be extra sure that it is safe to use in redirects from this point on.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:41:23 +0200] rev 5478
mod_http_oauth2: Don't return redirects or HTML from token endpoint
These are used by the client, not the user, so makes more sense to
return JSON directly instead of a redirect or HTML error page when .
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:27:27 +0200] rev 5477
mod_http_oauth2: Tweak formatting of log message
No need to `or ""` anymore since Prosody rev e88db5668cfb (0.11.0) and
the %q format should produce either (nil) or "http://example"
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:43:17 +0200] rev 5476
mod_http_oauth2: Always show early errors to user
Before having validated the client_id, communicating an error back to
the client via redirect would make this an open redirect, so we may just
as well skip past that logic, and especially the warning log message.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:24:18 +0200] rev 5475
mod_http_oauth2: Clarify some error messages
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:19:25 +0200] rev 5474
mod_http_oauth2: Use error status code when rendering error page
Shouldn't include a 200 OK status code when showing an error.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:03:09 +0200] rev 5473
mod_http_oauth2: Add human-readable error messages
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 12:57:23 +0200] rev 5472
mod_http_oauth2: Fix returning errors from response handlers
This would either redirect the user back to the client along with the
error code, or show the error HTML template.
Previously this would just show some JSON to the user.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 19:40:27 +0200] rev 5471
mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role
This will be the first step towards defining a standard set of XMPP
scopes. "xmpp" behaves as an alias for the user's default role, so that
the client does not need to know about the various prosody:* roles.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 18:49:22 +0200] rev 5470
mod_http_oauth2: Add support for the OpenID 'login_hint' parameter
This allows the client to suggest to the authorization screen which user
is trying to login, so they don't have to fill that in twice if they
already did so at the client.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 17:56:56 +0200] rev 5469
mod_http_oauth2: Note about partial OpenID Discovery implementation
Notably we don't have an JSON Web Key Set, since we use the client
secret in the HS256 algorithm.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 17:38:18 +0200] rev 5468
mod_http_oauth2: Split long list line in README
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 16:40:07 +0200] rev 5467
mod_http_oauth2: Proper OAuth error for invalid redirect URI in implicit flow too
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 16:34:19 +0200] rev 5466
mod_http_oauth2: Return proper OAuth error for invalid redirect URI
An unspecific status code of 400 isn't very helpful, this should at
least provide a hint as to what is wrong.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 13:51:30 +0200] rev 5465
mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs
Per draft-ietf-oauth-v2-1-08#section-8.4.2
> The authorization server MUST allow any port to be specified at the
> time of the request for loopback IP redirect URIs, to accommodate
> clients that obtain an available ephemeral port from the operating
> system at the time of the request.
Uncertain if it should normalize the host part, but it also seems
harmless to treat IPv6 and IPv4 the same here.
One thing is that "localhost" is NOT RECOMMENDED because it can
sometimes be pointed to non-loopback interfaces via DNS or hosts file.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 00:55:50 +0200] rev 5464
mod_http_oauth2: Add FIXME about loopback redirect URIs
I assume you can't possibly pre-register every port
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 00:09:37 +0200] rev 5463
mod_http_oauth2: Rename variables to improve clarity
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 22:18:12 +0200] rev 5462
mod_http_oauth2: Do minimal validation of private-use URI schemes
Per draft-ietf-oauth-v2-1-08#section-2.3.1
> At a minimum, any private-use URI scheme that doesn't contain a period
> character (.) SHOULD be rejected.
Since this would rule out the OOB URI, which is useful for CLI tools and
such without a built-in http server, it is explicitly allowed.
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 22:16:39 +0200] rev 5461
mod_http_oauth2: Reject relative redirect URIs
Also prevents a nil scheme from causing trouble
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:10:55 +0200] rev 5460
mod_http_oauth2: Reject duplicate list items in client registration
Useless waste of space
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:09:38 +0200] rev 5459
mod_http_oauth2: Require non-empty arrays in client registration
Makes no sense to claim to support nothing.
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:04:31 +0200] rev 5458
mod_http_oauth2: Reject duplicate redirect URIs in registration
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 20:56:57 +0200] rev 5457
mod_http_oauth2: Fix schema to enforce at least one redirect URI
minLength is for strings
Kim Alvefur <zash@zash.se> [Fri, 12 May 2023 11:58:20 +0200] rev 5456
mod_http_oauth2: Show only roles the user can use in consent dialog
Confusing if it shows you roles you can't use.
Kim Alvefur <zash@zash.se> [Fri, 12 May 2023 11:11:38 +0200] rev 5455
mod_http_oauth2: Reference grant by id instead of value
Fixes that the grant got mutated on use of refresh token, notably it
would gain 'id' and 'jid' properties set there by mod_tokenauth.
Previously also the secret token that we should not be remembering.