Mercurial > prosody-modules
annotate mod_s2s_auth_posh/README.markdown @ 5616:59d5fc50f602
mod_http_oauth2: Implement refresh token rotation
Makes refresh tokens one-time-use, handing out a new refresh token with
each access token. Thus if a refresh token is stolen and used by an
attacker, the next time the legitimate client tries to use the previous
refresh token, it will not work and the attack will be noticed. If the
attacker does not use the refresh token, it becomes invalid after the
legitimate client uses it.
This behavior is recommended by draft-ietf-oauth-security-topics
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 23 Jul 2023 02:56:08 +0200 |
| parents | 517c7f0333e3 |
| children |
| rev | line source |
|---|---|
|
3206
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 --- |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 labels: |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 - 'Type-S2SAuth' |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 --- |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 Introduction |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 ============ |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 [PKIX over Secure HTTP (POSH)][rfc7711] describes a method of |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 securely delegating a domain to a hosting provider, without that hosting |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 provider needing keys and certificates covering the hosted domain. |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
|
3225
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3206
diff
changeset
|
13 # Validating |
|
3206
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 This module performs POSH validation of other servers. It is *not* |
|
d57635562216
mod_s2s_auth_posh: Beginnings of a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 needed to delegate your own domain. |
|
3225
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3206
diff
changeset
|
17 |
|
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3206
diff
changeset
|
18 # Delegation |
|
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3206
diff
changeset
|
19 |
|
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3206
diff
changeset
|
20 You can generate the JSON delegation file from a certificate by running |
|
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3206
diff
changeset
|
21 `prosodyctl mod_s2s_auth_posh /path/to/example.crt`. This file needs to |
|
517c7f0333e3
mod_s2s_auth_posh: Add a command for generating the JSON file
Kim Alvefur <zash@zash.se>
parents:
3206
diff
changeset
|
22 be served at `https://example.com/.well-known/posh/xmpp-server.json`. |