annotate mod_sasl2_fast/README.md @ 5222:578a72982bb2

mod_http_oauth2: Separate extracting credentials from requests and verifying The token endpoint also uses Basic auth, but the password would be the client_secret, so we need to verify against that instead of using test_password(). Splitting this up here avoids code duplication. Possibly this new function could go into util.http...
author Matthew Wild <mwild1@gmail.com>
date Tue, 07 Mar 2023 15:18:41 +0000
parents 745c7f4cca40
children 70fa3f8de249
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5092
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 ---
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 labels:
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 - Stage-Beta
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 summary: "Fast Authentication Streamlining Tokens"
5095
745c7f4cca40 mod_sasl2_fast: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
5 rockspec:
745c7f4cca40 mod_sasl2_fast: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
6 dependencies:
745c7f4cca40 mod_sasl2_fast: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5092
diff changeset
7 - mod_sasl2
5092
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 ---
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 This module implements a mechanism via which clients can exchange a password
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 for a secure token, improving security and streamlining future reconnections.
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 At the time of writing, the XEP that describes the FAST protocol is still
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 working its way through the XSF standards process. You can [view the FAST XEP
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 proposal here](https://xmpp.org/extensions/inbox/xep-fast.html).
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 This module depends on [mod_sasl2].
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 ## Configuration
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 | Name | Description | Default |
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 |---------------------------|--------------------------------------------------------|-----------------------|
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 | sasl2_fast_token_ttl | Default token expiry (seconds) | `86400*21` (21 days) |
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 | sasl2_fast_token_min_ttl | Time before tokens are eligible for rotation (seconds) | `86400` (1 day) |
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 The `sasl2_fast_token_ttl` option determines the length of time a client can
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 remain disconnected before being "logged out" and needing to authenticate with
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 a password. Clients must perform at least one FAST authentication within this
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 period to remain active.
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 The `sasl2_fast_token_min_ttl` option defines how long before a token will be
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 rotated by the server. By default a token is rotated if it is older than 24
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 hours. This value should be less than `sasl2_fast_token_ttl` to prevent
6594e7a9a174 mod_sasl2_fast: Add README
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 clients being logged out unexpectedly.