annotate mod_restrict_xmpp/README.markdown @ 5796:93d6e9026c1b

mod_http_oauth2: Do not enforce PKCE on Device and OOB flows PKCE does not appear to be used with the Device flow. I have found no mention of any interaction between those standards. Since no data is delivered via redirects in these cases, PKCE may not serve any purpose. This is mostly a problem because we reuse the authorization code to implement the Device and OOB flows.
author Kim Alvefur <zash@zash.se>
date Fri, 15 Dec 2023 12:10:07 +0100
parents 62654f523c6a
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 ---
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 labels:
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 - Stage-Alpha
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 summary: XMPP-layer access control for Prosody
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 ---
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 Introduction
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 ============
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 This module enforces access policies using Prosody's new [roles and
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 permissions framework](https://prosody.im/doc/developers/permissions). It can
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 be used to grant restricted access to an XMPP account or services.
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 This module is still in its early stages, and prone to change. Feedback from
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 testers is welcome. At this early stage, it should not be solely relied upon
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 for account security purposes.
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 Configuration
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 =============
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 There is no configuration, apart from Prosody's normal roles and permissions
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 configuration.
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 Permissions
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 ===========
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 `xmpp:federate`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
28 : Communicate with other users and services on other hosts on the XMPP
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
29 network
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
30
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 `xmpp:account:messages:read`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
32 : Read incoming messages
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
33
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 `xmpp:account:messages:write`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
35 : Send outgoing messages
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
36
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 `xmpp:account:presence:write`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
38 : Update presence for the account
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
39
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 `xmpp:account:contacts:read`/`xmpp:account:contacts:write`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
41 : Controls access to the contact list (roster)
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
42
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 `xmpp:account:bookmarks:read`/`xmpp:account:bookmarks:write`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
44 : Controls access to the bookmarks (group chats list)
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
45
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 `xmpp:account:profile:read`/`xmpp:account:profile:write`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
47 : Controls access to the user's profile (e.g. vCard/avatar)
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
48
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 `xmpp:account:omemo:read`/`xmpp:account:omemo:write`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
50 : Controls access to the user's OMEMO data
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
51
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 `xmpp:account:blocklist:read`/`xmpp:account:blocklist:write`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
53 : Controls access to the user's block list
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
54
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 `xmpp:account:disco:read`
5768
62654f523c6a mod_restrict_xmpp/README: Fix definition list rendering
Kim Alvefur <zash@zash.se>
parents: 5009
diff changeset
56 : Controls access to the user's service discovery information
5009
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58 Compatibility
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 =============
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60
459a4001c1d9 mod_restrict_xmpp: XMPP-layer access control using Prosody's permissions API
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 Requires Prosody trunk 72f431b4dc2c (build 1444) or later.