prosody-modules: mod_auth_ccert/README.markdown annotate

annotate mod_auth_ccert/README.markdown @ 5511:0860497152af

mod_http_oauth2: Record hash of client_id to allow future verification RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the client. In order to do that, we must record something that can definitely tie the client to the grant. Since the full client_id is so large (why we have this client_subset function), a hash is stored instead.

author	Kim Alvefur <zash@zash.se>
date	Fri, 02 Jun 2023 10:14:16 +0200
parents	0e3f5f70a51d
children

rev	line source
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	1 ---
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	2 labels:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	3 - 'Stage-Alpha'
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	4 - 'Type-Auth'
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	5 summary: Client Certificate authentication module
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	6 ...
1782 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	7
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	8 Introduction
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	9 ============
1782 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	10
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	11 This module implements PKI-style client certificate authentication. You
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	12 will therefore need your own Certificate Authority. How to set that up
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	13 is beyond the current scope of this document.
1782 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	14
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	15 Configuration
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	16 =============
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	17
1782 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	18
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	19 authentication = "ccert"
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	20 certificate_match = "xmppaddr" -- or "email"
1782 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	21
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	22 c2s_ssl = {
1904 5d84b7fbe3aa mod_auth_ccert/README: It's cafile, not cacert Kim Alvefur <zash@zash.se> parents: 1884 diff changeset	23 cafile = "/path/to/your/ca.pem";
1884 153f063c3d1a mod_auth_ccert/README: Recomend cacert instead of capath Kim Alvefur <zash@zash.se> parents: 1803 diff changeset	24 capath = false; -- Disable capath inherited from built-in default
4432 e83284d4d5c2 mod_auth_ccert/README: Add setting to ensure Prosdy asks for client certificate Kim Alvefur <zash@zash.se> parents: 1904 diff changeset	25 verify = {"peer"; "client_once"}; -- Ask for client certificate
4433 0e3f5f70a51d mod_auth_ccert/README: Add certificate purpose conifg to example Kim Alvefur <zash@zash.se> parents: 4432 diff changeset	26 verifyext = {
0e3f5f70a51d mod_auth_ccert/README: Add certificate purpose conifg to example Kim Alvefur <zash@zash.se> parents: 4432 diff changeset	27 -- Don't validate client certs as if they were server certs
0e3f5f70a51d mod_auth_ccert/README: Add certificate purpose conifg to example Kim Alvefur <zash@zash.se> parents: 4432 diff changeset	28 lsec_ignore_purpose = false
0e3f5f70a51d mod_auth_ccert/README: Add certificate purpose conifg to example Kim Alvefur <zash@zash.se> parents: 4432 diff changeset	29 }
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	30 }
1782 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	31
29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	32
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	33 Compatibility
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	34 =============
1782 29f3d6b7ad16 Import wiki pages Kim Alvefur <zash@zash.se> parents: diff changeset	35
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	36 ----------------- --------------
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	37 trunk Works
1884 153f063c3d1a mod_auth_ccert/README: Recomend cacert instead of capath Kim Alvefur <zash@zash.se> parents: 1803 diff changeset	38 0.10 and later Works
1803 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	39 0.9 and earlier Doesn't work
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: 1782 diff changeset	40 ----------------- --------------

Mercurial > prosody-modules

annotate mod_auth_ccert/README.markdown @ 5511:0860497152af