Mercurial > prosody-modules
annotate mod_auth_oauthbearer/README.markdown @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 21:14:19 +0100 |
| parents | 1a1affd22f74 |
| children |
| rev | line source |
|---|---|
|
3114
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
1 --- |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
2 labels: |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
3 - 'Type-Auth' |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
4 summary: OAuth authentication |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
5 ... |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
6 |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
7 Introduction |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
8 ============ |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
9 |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
10 This is an authentication module for the SASL OAUTHBEARER mechanism, as provided by `mod_sasl_oauthbearer`. |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
11 |
|
3116
1a1affd22f74
mod_auth_oauthbearer: expand intro to mention when/how you'd use this
JC Brand <jc@opkode.com>
parents:
3114
diff
changeset
|
12 You can use this to log in via OAuth, for example if you want your user's to log in with Github, Twitter, Reddit etc. |
|
1a1affd22f74
mod_auth_oauthbearer: expand intro to mention when/how you'd use this
JC Brand <jc@opkode.com>
parents:
3114
diff
changeset
|
13 |
|
1a1affd22f74
mod_auth_oauthbearer: expand intro to mention when/how you'd use this
JC Brand <jc@opkode.com>
parents:
3114
diff
changeset
|
14 The XMPP client needs get an OAuth token from the provider (e.g. Github) and send that to Prosody. |
|
1a1affd22f74
mod_auth_oauthbearer: expand intro to mention when/how you'd use this
JC Brand <jc@opkode.com>
parents:
3114
diff
changeset
|
15 This module will then verify that token by calling the `oauth_url` you've configured. |
|
1a1affd22f74
mod_auth_oauthbearer: expand intro to mention when/how you'd use this
JC Brand <jc@opkode.com>
parents:
3114
diff
changeset
|
16 |
|
3114
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
17 Configuration |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
18 ============= |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
19 |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
20 Per VirtualHost, you'll need to supply your OAuth client Id, secret and the URL which |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
21 Prosody must call in order to verify the OAuth token it receives from the XMPP client. |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
22 |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
23 For example, for Github: |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
24 |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
25 oauth_client_id = "13f8e9cc8928b3409822" |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
26 oauth_client_secret = "983161fd3ah608ea7ef35382668aad1927463978" |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
27 oauth_url = "https://api.github.com/applications/{{oauth_client_id}}/tokens/{{password}}"; |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
28 |
|
73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff
changeset
|
29 authentication = "oauthbearer" |