annotate mod_http_oauth2/README.markdown @ 5256:44f7edd4f845

mod_http_oauth2: Reject non-local hosts in more code paths We're not issuing tokens for users on remote hosts, we can't even authenticate them since they're remote. Thus the host is always the local module.host so no need to pass around the host in most cases or use it for anything but enforcing the same host.
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 17:52:10 +0100
parents 3235b8bd1e55
children 80ecba092027
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3903
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 ---
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 labels:
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 - Stage-Alpha
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 summary: 'OAuth2 API'
5212
3235b8bd1e55 mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents: 5197
diff changeset
5 rockspec:
3235b8bd1e55 mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents: 5197
diff changeset
6 build:
3235b8bd1e55 mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents: 5197
diff changeset
7 copy_directories:
3235b8bd1e55 mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se>
parents: 5197
diff changeset
8 - html
3903
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 ...
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 Introduction
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 ============
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 This module is a work-in-progress intended for developers only!
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 Configuration
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 =============
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18
5197
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
19 Dynamic client registration enabled by configuring a JWT key. Algorithm
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
20 defaults to *HS256*.
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
21
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
22 ```lua
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
23 oauth2_registration_key = "securely generated JWT key here"
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
24 oauth2_registration_algorithm = "HS256"
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
25 oauth2_registration_options = { default_ttl = 60 * 60 * 24 * 90 }
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
26 ```
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
27
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
28 Various flows can be disabled and enabled with
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
29 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`:
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
30
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
31 ```lua
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
32 allowed_oauth2_grant_types = {
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
33 "authorization_code"; -- authorization code grant
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
34 "password"; -- resource owner password grant
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
35 }
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
36
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
37 allowed_oauth2_response_types = {
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
38 "code"; -- authorization code flow
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
39 -- "token"; -- implicit flow disabled by default
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
40 }
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
41 ```
164a9875935b mod_http_oauth2/README: Document config options
Kim Alvefur <zash@zash.se>
parents: 4924
diff changeset
42
3903
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44 Compatibility
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 =============
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46
4924
df3d521e3c39 mod_http_oauth2/README: Update Compatibility section to mention 0.12
Kim Alvefur <zash@zash.se>
parents: 3903
diff changeset
47 Requires Prosody 0.12+ or trunk.