prosody-modules: mod_http_oauth2/README.markdown annotate

annotate mod_http_oauth2/README.markdown @ 5615:308b5b117379

mod_http_oauth2: Hint at future deprecation of resource owner password grant It is strongly discouraged by all the modern OAuth 2.0 (and 2.1) documents.

author	Kim Alvefur <zash@zash.se>
date	Fri, 21 Jul 2023 00:38:04 +0200
parents	7565298aa197
children	d8622797e315

rev	line source
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1 ---
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	2 labels:
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	3 - Stage-Alpha
5212 3235b8bd1e55 mod_http_oauth2: Include html templates in package for plugin installer Kim Alvefur <zash@zash.se> parents: 5197 diff changeset	4 rockspec:
3235b8bd1e55 mod_http_oauth2: Include html templates in package for plugin installer Kim Alvefur <zash@zash.se> parents: 5197 diff changeset	5 build:
3235b8bd1e55 mod_http_oauth2: Include html templates in package for plugin installer Kim Alvefur <zash@zash.se> parents: 5197 diff changeset	6 copy_directories:
3235b8bd1e55 mod_http_oauth2: Include html templates in package for plugin installer Kim Alvefur <zash@zash.se> parents: 5197 diff changeset	7 - html
5520 67448e677706 mod_http_oauth2/README: Expand summary to include OAuth 2.0 role Kim Alvefur <zash@zash.se> parents: 5508 diff changeset	8 summary: OAuth 2.0 Authorization Server API
67448e677706 mod_http_oauth2/README: Expand summary to include OAuth 2.0 role Kim Alvefur <zash@zash.se> parents: 5508 diff changeset	9 ---
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	10
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	11 ## Introduction
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	12
5315 8501baa7ef3f mod_http_oauth2/README: Link to OAuth and OIDC sites Kim Alvefur <zash@zash.se> parents: 5313 diff changeset	13 This module implements an [OAuth2](https://oauth.net/2/)/[OpenID Connect
8501baa7ef3f mod_http_oauth2/README: Link to OAuth and OIDC sites Kim Alvefur <zash@zash.se> parents: 5313 diff changeset	14 (OIDC)](https://openid.net/connect/) provider HTTP frontend on top of
8501baa7ef3f mod_http_oauth2/README: Link to OAuth and OIDC sites Kim Alvefur <zash@zash.se> parents: 5313 diff changeset	15 Prosody's usual internal authentication backend.
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	16
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	17 OAuth and OIDC are web standards that allow you to provide clients and
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	18 third-party applications limited access to your account, without sharing your
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	19 password with them.
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	20
5546 ae20da6d377d mod_http_oauth2: Link to RFC 7628 in README Kim Alvefur <zash@zash.se> parents: 5545 diff changeset	21 With this module deployed, software that supports OAuth can obtain
ae20da6d377d mod_http_oauth2: Link to RFC 7628 in README Kim Alvefur <zash@zash.se> parents: 5545 diff changeset	22 "access tokens" from Prosody which can then be used to connect to XMPP
ae20da6d377d mod_http_oauth2: Link to RFC 7628 in README Kim Alvefur <zash@zash.se> parents: 5545 diff changeset	23 accounts using the [OAUTHBEARER SASL mechanism][rfc7628] or via non-XMPP
ae20da6d377d mod_http_oauth2: Link to RFC 7628 in README Kim Alvefur <zash@zash.se> parents: 5545 diff changeset	24 interfaces such as [mod_rest].
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	25
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	26 Although this module has been around for some time, it has recently been
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	27 significantly extended and largely rewritten to support OAuth/OIDC more fully.
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	28
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	29 As of April 2023, it should be considered alpha stage. It works, we have
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	30 tested it, but it has not yet seen wider review, testing and deployment. At
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	31 this stage we recommend it for experimental and test deployments only. For
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	32 specific information, see the [deployment notes section](#deployment-notes)
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	33 below.
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	34
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	35 Known client implementations:
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	36
5328 dd8616e68cb3 mod_http_oauth2/README: Add rest.sh to known implementations Kim Alvefur <zash@zash.se> parents: 5316 diff changeset	37 - [example shell script for mod_rest](https://hg.prosody.im/prosody-modules/file/tip/mod_rest/example/rest.sh)
dd8616e68cb3 mod_http_oauth2/README: Add rest.sh to known implementations Kim Alvefur <zash@zash.se> parents: 5316 diff changeset	38 - (we need you!)
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	39
5546 ae20da6d377d mod_http_oauth2: Link to RFC 7628 in README Kim Alvefur <zash@zash.se> parents: 5545 diff changeset	40 Support for [OAUTHBEARER][rfc7628] has been added to the Lua XMPP
ae20da6d377d mod_http_oauth2: Link to RFC 7628 in README Kim Alvefur <zash@zash.se> parents: 5545 diff changeset	41 library, [verse](https://code.matthewwild.co.uk/verse). If you know of
ae20da6d377d mod_http_oauth2: Link to RFC 7628 in README Kim Alvefur <zash@zash.se> parents: 5545 diff changeset	42 additional implementations, or are motivated to work on one, please let
ae20da6d377d mod_http_oauth2: Link to RFC 7628 in README Kim Alvefur <zash@zash.se> parents: 5545 diff changeset	43 us know! We'd be happy to help (e.g. by providing a test server).
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	44
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	45 ## Standards support
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	46
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	47 Notable supported standards:
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	48
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	49 - [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749)
5410 644b2f2b9b52 mod_http_oauth2: Link to RFC 7009: OAuth 2.0 Token Revocation Kim Alvefur <zash@zash.se> parents: 5408 diff changeset	50 - [RFC 7009: OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009)
5464 2a11f590c5c8 mod_http_oauth2: Split long list line in README Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	51 - [RFC 7591: OAuth 2.0 Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591.html)
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	52 - [RFC 7628: A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth](https://www.rfc-editor.org/rfc/rfc7628)
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5328 diff changeset	53 - [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://www.rfc-editor.org/rfc/rfc7636)
5589 7040d0772758 mod_http_oauth2: Implement RFC 8628 Device Authorization Grant Kim Alvefur <zash@zash.se> parents: 5588 diff changeset	54 - [RFC 8628: OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628)
5588 59acf7f540c1 mod_http_oauth2: Mention support for RFC 9207 Kim Alvefur <zash@zash.se> parents: 5562 diff changeset	55 - [RFC 9207: OAuth 2.0 Authorization Server Issuer Identification](https://www.rfc-editor.org/rfc/rfc9207.html)
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	56 - [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)
5465 66e13e79928b mod_http_oauth2: Note about partial OpenID Discovery implementation Kim Alvefur <zash@zash.se> parents: 5464 diff changeset	57 - [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) (_partial, e.g. missing JWKS_)
5464 2a11f590c5c8 mod_http_oauth2: Split long list line in README Kim Alvefur <zash@zash.se> parents: 5416 diff changeset	58 - [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	59
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	60 ## Configuration
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	61
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	62 ### Interface
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	63
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	64 The module presents a web page to users to allow them to authenticate when
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	65 a client requests access. Built-in pages are provided, but you may also theme
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	66 or entirely override them.
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	67
5545 fcef6263acdb mod_http_oauth2: Use code spans for some config options in README Kim Alvefur <zash@zash.se> parents: 5521 diff changeset	68 This module honours the `site_name` configuration option that is also used by
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	69 a number of other modules:
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	70
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	71 ```lua
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	72 site_name = "My XMPP Server"
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	73 ```
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	74
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	75 To provide custom templates, specify the path to the template directory:
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	76
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	77 ```lua
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	78 oauth2_template_path = "/etc/prosody/custom-oauth2-templates"
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	79 ```
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	80
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	81 Some templates support additional variables, that can be provided by the
5545 fcef6263acdb mod_http_oauth2: Use code spans for some config options in README Kim Alvefur <zash@zash.se> parents: 5521 diff changeset	82 `oauth2_template_style` option:
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	83
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	84 ```lua
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	85 oauth2_template_style = {
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	86 background_colour = "#ffffff";
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	87 }
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	88 ```
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	89
5547 d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5546 diff changeset	90 If you know what features your templates use use you can adjust the
d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5546 diff changeset	91 `Content-Security-Policy` header to only allow what is needed:
d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5546 diff changeset	92
d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5546 diff changeset	93 ```lua
d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5546 diff changeset	94 oauth2_security_policy = "default-src 'self'" -- this is the default
d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5546 diff changeset	95 ```
d4a2997deae9 mod_http_oauth2: Make CSP configurable Kim Alvefur <zash@zash.se> parents: 5546 diff changeset	96
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	97 ### Token parameters
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	98
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	99 The following options configure the lifetime of tokens issued by the module.
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	100 The defaults are recommended.
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	101
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	102 ```lua
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	103 oauth2_access_token_ttl = 86400 -- 24 hours
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	104 oauth2_refresh_token_ttl = nil -- unlimited unless revoked by the user
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	105 ```
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	106
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	107 ### Dynamic client registration
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	108
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	109 To allow users to connect any compatible software, you should enable dynamic
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	110 client registration.
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	111
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	112 Dynamic client registration can be enabled by configuring a JWT key. Algorithm
5416 2393dbae51ed mod_http_oauth2: Add option for specifying TTL of registered clients Kim Alvefur <zash@zash.se> parents: 5410 diff changeset	113 defaults to HS256 lifetime defaults to forever.
5197 164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	114
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	115 ```lua
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	116 oauth2_registration_key = "securely generated JWT key here"
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	117 oauth2_registration_algorithm = "HS256"
5416 2393dbae51ed mod_http_oauth2: Add option for specifying TTL of registered clients Kim Alvefur <zash@zash.se> parents: 5410 diff changeset	118 oauth2_registration_ttl = nil -- unlimited by default
5197 164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	119 ```
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	120
5493 cae3bb3dd45f mod_http_oauth2: Document client registration requirements Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	121 Registering a client is described in
cae3bb3dd45f mod_http_oauth2: Document client registration requirements Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	122 [RFC7591](https://www.rfc-editor.org/rfc/rfc7591.html).
cae3bb3dd45f mod_http_oauth2: Document client registration requirements Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	123
cae3bb3dd45f mod_http_oauth2: Document client registration requirements Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	124 In addition to the requirements in the RFC, the following requirements
cae3bb3dd45f mod_http_oauth2: Document client registration requirements Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	125 are enforced:
cae3bb3dd45f mod_http_oauth2: Document client registration requirements Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	126
5506 37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	127 `client_name`
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	128 : MUST be present, is shown to users in consent screen.
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	129
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	130 `client_uri`
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	131 : MUST be present and MUST be a `https://` URL.
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	132
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	133 `redirect_uris`
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	134
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	135 : MUST contain at least one valid URI. Different rules apply
5562 734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	136 depending on the value of `application_type`, see below.
5506 37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	137
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	138 `application_type`
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	139
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	140 : Optional, defaults to `web`. Determines further restrictions for
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	141 `redirect_uris`. The following values are supported:
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	142
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	143 `web` (default)
5562 734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	144 : For web clients. With this, `redirect_uris` MUST be
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	145 `https://` URIs and MUST use the same hostname part as the
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	146 `client_uri`.
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	147
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	148 `native`
5506 37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	149
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	150 `native`
5562 734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	151
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	152 : For native e.g. desktop clients etc. `redirect_uris` MUST
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	153 match one of:
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	154
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	155 - Loopback HTTP URI, e.g. `http://127.0.0.1/` or
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	156 `http://[::1]`
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	157 - Application-specific scheme, e.g. `com.example.app:/`
734788d8bfc3 mod_http_oauth2: Rearrange description of redirect URIs requirements Kim Alvefur <zash@zash.se> parents: 5561 diff changeset	158 - The special OOB URI `urn:ietf:wg:oauth:2.0:oob`
5506 37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	159
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	160 `tos_uri`, `policy_uri`
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	161 : Informative URLs pointing to Terms of Service and Service Policy
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	162 document MUST use the same scheme (i.e. `https://`) and hostname
37621c6e5c08 mod_http_oauth2: Restructure description of client metadata requirements Kim Alvefur <zash@zash.se> parents: 5505 diff changeset	163 as the `client_uri`.
5493 cae3bb3dd45f mod_http_oauth2: Document client registration requirements Kim Alvefur <zash@zash.se> parents: 5467 diff changeset	164
5561 d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	165 #### Registration Examples
5494 1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	166
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	167 In short registration works by POST-ing a JSON structure describing your
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	168 client to an endpoint:
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	169
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	170 ``` bash
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	171 curl -sSf https://xmpp.example.net/oauth2/register \
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	172 -H Content-Type:application/json \
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	173 -H Accept:application/json \
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	174 --data '
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	175 {
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	176 "client_name" : "My Application",
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	177 "client_uri" : "https://app.example.com/",
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	178 "redirect_uris" : [
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	179 "https://app.example.com/redirect"
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	180 ]
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	181 }
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	182 '
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	183 ```
1bcf755c7bae mod_http_oauth2: Add an example of client registration Kim Alvefur <zash@zash.se> parents: 5493 diff changeset	184
5561 d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	185 Another example with more fields:
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	186
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	187 ``` bash
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	188 curl -sSf https://xmpp.example.net/oauth2/register \
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	189 -H Content-Type:application/json \
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	190 -H Accept:application/json \
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	191 --data '
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	192 {
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	193 "application_type" : "native",
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	194 "client_name" : "Desktop Chat App",
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	195 "client_uri" : "https://app.example.org/",
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	196 "contacts" : [
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	197 "support@example.org"
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	198 ],
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	199 "policy_uri" : "https://app.example.org/about/privacy",
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	200 "redirect_uris" : [
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	201 "http://localhost:8080/redirect",
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	202 "org.example.app:/redirect"
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	203 ],
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	204 "scope" : "xmpp",
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	205 "software_id" : "32a0a8f3-4016-5478-905a-c373156eca73",
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	206 "software_version" : "3.4.1",
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	207 "tos_uri" : "https://app.example.org/about/terms"
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	208 }
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	209 '
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	210 ```
d6ab6f0bd96e mod_http_oauth2: Add a more complete client registration example Kim Alvefur <zash@zash.se> parents: 5547 diff changeset	211
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	212 ### Supported flows
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	213
5521 ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	214 - Authorization Code grant, optionally with Proof Key for Code Exchange
5613 a9682cad0e67 mod_http_oauth2: Mention Device flow in list of flows in README Kim Alvefur <zash@zash.se> parents: 5589 diff changeset	215 - Device Authorization Grant
5615 308b5b117379 mod_http_oauth2: Hint at future deprecation of resource owner password grant Kim Alvefur <zash@zash.se> parents: 5614 diff changeset	216 - Resource owner password grant (likely to be phased out in the future)
5521 ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	217 - Implicit flow (disabled by default)
ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	218 - Refresh Token grants
ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	219
5197 164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	220 Various flows can be disabled and enabled with
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	221 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`:
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	222
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	223 ```lua
5521 ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	224 -- These examples reflect the defaults
5197 164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	225 allowed_oauth2_grant_types = {
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	226 "authorization_code"; -- authorization code grant
5614 7565298aa197 mod_http_oauth2: Allow a shorter form of the device grant in config Kim Alvefur <zash@zash.se> parents: 5613 diff changeset	227 "device_code";
5197 164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	228 "password"; -- resource owner password grant
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	229 }
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	230
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	231 allowed_oauth2_response_types = {
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	232 "code"; -- authorization code flow
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	233 -- "token"; -- implicit flow disabled by default
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	234 }
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	235 ```
164a9875935b mod_http_oauth2/README: Document config options Kim Alvefur <zash@zash.se> parents: 4924 diff changeset	236
5521 ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	237 The [Proof Key for Code Exchange][RFC 7636] mitigation method is
ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	238 optional by default but can be made required:
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5328 diff changeset	239
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5328 diff changeset	240 ```lua
5521 ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	241 oauth2_require_code_challenge = true -- default is false
5383 df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5328 diff changeset	242 ```
df11a2cbc7b7 mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange Kim Alvefur <zash@zash.se> parents: 5328 diff changeset	243
5384 b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	244 Further, individual challenge methods can be enabled or disabled:
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	245
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	246 ```lua
5521 ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	247 -- These reflects the default
5384 b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	248 allowed_oauth2_code_challenge_methods = {
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	249 "plain"; -- the insecure one
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	250 "S256";
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	251 }
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	252 ```
b40f29ec391a mod_http_oauth2: Allow configuring PKCE challenge methods Kim Alvefur <zash@zash.se> parents: 5383 diff changeset	253
5408 3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	254 ### Policy documents
3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	255
3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	256 Links to Terms of Service and Service Policy documents can be advertised
3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	257 for use by OAuth clients:
3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	258
3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	259 ```lua
3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	260 oauth2_terms_url = "https://example.com/terms-of-service.html"
3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	261 oauth2_policy_url = "https://example.com/service-policy.pdf"
5521 ef1ae6390742 mod_http_oauth2: Add some words about supported flows and defaults Kim Alvefur <zash@zash.se> parents: 5520 diff changeset	262 -- These are unset by default
5408 3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	263 ```
3989c57cc551 mod_http_oauth2: Allow configuring links to policy and terms in metadata Kim Alvefur <zash@zash.se> parents: 5384 diff changeset	264
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	265 ## Deployment notes
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	266
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	267 ### Access management
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	268
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	269 This module does not provide an interface for users to manage what they have
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	270 granted access to their account! (e.g. to view and revoke clients they have
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	271 previously authorized). It is recommended to join this module with
5508 56803acfa638 mod_http_oauth2: Linkify mod_client_management in README Kim Alvefur <zash@zash.se> parents: 5507 diff changeset	272 [mod_client_management] to provide such access. However, at the time of writing,
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	273 no XMPP clients currently support the protocol used by that module. We plan to
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	274 work on additional interfaces in the future.
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	275
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	276 ### Scopes
3903 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	277
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	278 OAuth supports "scopes" as a way to grant clients limited access.
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	279
5467 1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	280 There are currently no standard scopes defined for XMPP. This is
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	281 something that we intend to change, e.g. by definitions provided in a
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	282 future XEP. This means that clients you authorize currently have to
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	283 choose between unrestricted access to your account (including the
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	284 ability to change your password and lock you out!) and zero access. So,
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	285 for now, while using OAuth clients can prevent leaking your password to
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	286 them, it is not currently suitable for connecting untrusted clients to
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	287 your account.
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	288
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	289 As a first step, the `xmpp` scope is supported, and corresponds to
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	290 whatever permissions the user would have when logged in over XMPP.
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	291
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	292 Further, known Prosody roles can be used as scopes.
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	293
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	294 OpenID scopes such as `openid` and `profile` can be used for "Login
1c78a97a1091 mod_http_oauth2: Add a special "xmpp" scope that grants the users' default role Kim Alvefur <zash@zash.se> parents: 5465 diff changeset	295 with XMPP" without granting access to more than limited profile details.
5313 80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	296
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	297 ## Compatibility
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	298
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	299 Requires Prosody trunk (April 2023), not compatible with Prosody 0.12 or
80ecba092027 mod_http_oauth2: README: Updated documentation to reflect module status Matthew Wild <mwild1@gmail.com> parents: 5212 diff changeset	300 earlier.

Mercurial > prosody-modules

annotate mod_http_oauth2/README.markdown @ 5615:308b5b117379