mod_http_oauth2: Add client verification wrapper function Fixes the weird ok, data return format from util.jit, but the real reason is to add some preparation steps here.

mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 These are mostly for the various Client-facing endpoints, so the chance of browsers being involved is slightly lower than with the User-facing authorization endpoint, which already sent the Cache-Control header. Thanks to OAuch for pointing out.

mod_http_oauth2: Linkify mod_client_management in README

mod_http_oauth2: Fix messed up section about redirect_uris requirements

mod_http_oauth2: Restructure description of client metadata requirements Previously quite a compact block of text, maybe this is easier to read.

mod_http_oauth2: Correct loopback URL example The s in the scheme should not be there, only unencrypted http to loopback interface is allowed.

mod_groups_oidc: Expose groups to OAuth clients

mod_oidc_userinfo_vcard4: Advertise OpenID scopes via new mechanism

mod_http_oauth2: Add provisions for dynamically adding simple scopes This lets additional modules define what scopes they might add to the userinfo endpoint, or other things.

mod_http_oauth2: Sort imports Piped through `sort -k5` thus sorting by module name. Sort order makes it easy to know where to insert new imports.

mod_http_oauth2: Fix closing h1 tag

mod_auth_oauth_external: Correct docs about default scope Yet another failure of auto-complete?

misc/lnav: Add a README with installation instructions

misc/lnav: Fix delimiting of timestamp in pattern The string with the timestamp format in core.loggingmanager does end with a space, so having the exact same string here is nice, but the pattern did not reflect this.

misc/lnav: Fix timestamp-format to be an array as per schema

mod_http_oauth2: Create proper template for OOB code delivery This also improves security by reusing the security and cache headers, where mod_http_errors/http-message doesn't add such headers. Colors selected by taking rotating the error colors, rrggbb -> ggbbrr

mod_http_oauth2: Add an example of client registration

mod_http_oauth2: Document client registration requirements Because they go a bit further than the basics in the RFC

mod_http_debug: Handle any path under /debug/* as well Sometimes things encode useful info in paths. Could also help if you add path components in a reverse proxy.

mod_http_debug: Log some extended info about requests If you point something external at this module, you don't get the response body back, hence it can be useful to see some details in the log as well.

mod_http_debug: Handle more HTTP methods Often you might want to see what POST data was sent, or such.

mod_http_debug: Add a brief README

mod_rest/example: Include 'application_type' in registration It defaults to "web", which in turn mandates https: redirect URIs, which would not work with this example using the OOB URI.

mod_s2sout_override: Add support for Direct TLS Well that was easy

mod_s2sout_override: New module for overriding s2s connections This takes advantage of the new event added in Prosody rev d5f322dd424b which enables a cleaner way to override the connection using a resolver.

mod_pubsub_alertmanager: Support for per-path config overrides

mod_muc_moderation: Point to new Conversations issue tracker

mod_invites_adhoc: Fall back to generic allow_user_invites for role-less users Fixes #1752 Backport of Prosody rev dc0c20753d6c

mod_invites{,_adhoc,_register}: Recommend using version included with prosody Thanks gooya

mod_welcome_page: Remove dependency on mod_invites (included with Prosody) Thanks gooya

mod_http_oauth2: Allow CORS for browser clients Needed for web clients to reach i.e. the token endpoint.

mod_http_oauth2: Disable Referrer via header Prevents the various parameters from potentially ending up in logs, as well as reduces the size of requests.

mod_http_oauth2: Always render errors as HTML for OOB redirect URI No invalid or insecure redirect URIs should make it to this point, so the warning can be removed.

mod_http_oauth2: Use validated redirect URI when returning errors to client Parsing it from the query again without the validation done by get_redirect_uri() may lead to open redirect issues.

mod_http_oauth2: Return OAuth error for authz code store error

mod_http_oauth2: Validate redirect_uri before using it for error redirects To be extra sure that it is safe to use in redirects from this point on.

mod_http_oauth2: Don't return redirects or HTML from token endpoint These are used by the client, not the user, so makes more sense to return JSON directly instead of a redirect or HTML error page when .

mod_http_oauth2: Tweak formatting of log message No need to `or ""` anymore since Prosody rev e88db5668cfb (0.11.0) and the %q format should produce either (nil) or "http://example"

mod_http_oauth2: Always show early errors to user Before having validated the client_id, communicating an error back to the client via redirect would make this an open redirect, so we may just as well skip past that logic, and especially the warning log message.

mod_http_oauth2: Clarify some error messages

mod_http_oauth2: Use error status code when rendering error page Shouldn't include a 200 OK status code when showing an error.

mod_http_oauth2: Add human-readable error messages

mod_http_oauth2: Fix returning errors from response handlers This would either redirect the user back to the client along with the error code, or show the error HTML template. Previously this would just show some JSON to the user.

mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role This will be the first step towards defining a standard set of XMPP scopes. "xmpp" behaves as an alias for the user's default role, so that the client does not need to know about the various prosody:* roles.

mod_http_oauth2: Add support for the OpenID 'login_hint' parameter This allows the client to suggest to the authorization screen which user is trying to login, so they don't have to fill that in twice if they already did so at the client.

mod_http_oauth2: Note about partial OpenID Discovery implementation Notably we don't have an JSON Web Key Set, since we use the client secret in the HS256 algorithm.

mod_http_oauth2: Split long list line in README

mod_http_oauth2: Proper OAuth error for invalid redirect URI in implicit flow too

mod_http_oauth2: Return proper OAuth error for invalid redirect URI An unspecific status code of 400 isn't very helpful, this should at least provide a hint as to what is wrong.

mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Per draft-ietf-oauth-v2-1-08#section-8.4.2 > The authorization server MUST allow any port to be specified at the > time of the request for loopback IP redirect URIs, to accommodate > clients that obtain an available ephemeral port from the operating > system at the time of the request. Uncertain if it should normalize the host part, but it also seems harmless to treat IPv6 and IPv4 the same here. One thing is that "localhost" is NOT RECOMMENDED because it can sometimes be pointed to non-loopback interfaces via DNS or hosts file.

mod_http_oauth2: Add FIXME about loopback redirect URIs I assume you can't possibly pre-register every port

mod_http_oauth2: Rename variables to improve clarity

mod_http_oauth2: Do minimal validation of private-use URI schemes Per draft-ietf-oauth-v2-1-08#section-2.3.1 > At a minimum, any private-use URI scheme that doesn't contain a period > character (.) SHOULD be rejected. Since this would rule out the OOB URI, which is useful for CLI tools and such without a built-in http server, it is explicitly allowed.

mod_http_oauth2: Reject relative redirect URIs Also prevents a nil scheme from causing trouble

mod_http_oauth2: Reject duplicate list items in client registration Useless waste of space

mod_http_oauth2: Require non-empty arrays in client registration Makes no sense to claim to support nothing.

mod_http_oauth2: Reject duplicate redirect URIs in registration

mod_http_oauth2: Fix schema to enforce at least one redirect URI minLength is for strings

mod_http_oauth2: Show only roles the user can use in consent dialog Confusing if it shows you roles you can't use.

mod_http_oauth2: Reference grant by id instead of value Fixes that the grant got mutated on use of refresh token, notably it would gain 'id' and 'jid' properties set there by mod_tokenauth. Previously also the secret token that we should not be remembering.