Mercurial > prosody-modules
annotate mod_http_authentication/README.markdown @ 5682:527c747711f3
mod_http_oauth2: Limit revocation to clients own tokens in strict mode
RFC 7009 section 2.1 states:
> The authorization server first validates the client credentials (in
> case of a confidential client) and then verifies whether the token was
> issued to the client making the revocation request. If this
> validation fails, the request is refused and the client is informed of
> the error by the authorization server as described below.
The first part was already covered (in strict mode). This adds the later
part using the hash of client_id recorded in 0860497152af
It still seems weird to me that revoking a leaked token should not be
allowed whoever might have discovered it, as that seems the responsible
thing to do.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 29 Oct 2023 11:30:49 +0100 |
| parents | b19d64dd4c66 |
| children |
| rev | line source |
|---|---|
|
2337
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
1 --- |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
2 labels: |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
3 - 'Stage-Beta' |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
4 summary: Enforces HTTP Basic authentication across all HTTP endpoints served by Prosody |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
5 ... |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
6 |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
7 # mod_http_authentication |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
8 |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
9 This module enforces HTTP Basic authentication across all HTTP endpoints served by Prosody. |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
10 |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
11 ## Configuration |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
12 |
|
3019
b19d64dd4c66
mod_http_authentication/README: Change name of config option to match the code
Kim Alvefur <zash@zash.se>
parents:
3012
diff
changeset
|
13 Name Default Description |
|
b19d64dd4c66
mod_http_authentication/README: Change name of config option to match the code
Kim Alvefur <zash@zash.se>
parents:
3012
diff
changeset
|
14 ---------------------------------- --------------------------------- -------------------------------------------------------------------------------------------------------------------------------------- |
|
b19d64dd4c66
mod_http_authentication/README: Change name of config option to match the code
Kim Alvefur <zash@zash.se>
parents:
3012
diff
changeset
|
15 http\_credentials "minddistrict:secretpassword" The credentials that HTTP clients must provide to access the HTTP interface. Should be a string with the syntax "username:password". |
|
b19d64dd4c66
mod_http_authentication/README: Change name of config option to match the code
Kim Alvefur <zash@zash.se>
parents:
3012
diff
changeset
|
16 unauthenticated\_http\_endpoints { "/http-bind", "/http-bind/" } A list of paths that should be excluded from authentication. |
|
2337
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
17 |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
18 ## Usage |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
19 |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
20 This is a global module, so should be added to the global `modules_enabled` option in your config file. It applies to all HTTP virtual hosts. |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
21 |
|
3012
1380ae0e003f
mod_http_authentication: Replace 'Known issues' section with Compatibility since the issue referenced has been resolved
Kim Alvefur <zash@zash.se>
parents:
2337
diff
changeset
|
22 ## Compatibility |
|
2337
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
23 |
|
3012
1380ae0e003f
mod_http_authentication: Replace 'Known issues' section with Compatibility since the issue referenced has been resolved
Kim Alvefur <zash@zash.se>
parents:
2337
diff
changeset
|
24 The module use a new API in Prosody 0.10 and will not work with older |
|
1380ae0e003f
mod_http_authentication: Replace 'Known issues' section with Compatibility since the issue referenced has been resolved
Kim Alvefur <zash@zash.se>
parents:
2337
diff
changeset
|
25 versions. |
|
2337
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
26 |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
27 ## Details |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
28 |
|
c6e86b74f62e
Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff
changeset
|
29 By Kim Alvefur \<zash@zash.se\> |