comparison mod_auth_oauth_external/README.md @ 5345:3390bb2f9f6c

mod_auth_oauth_external: Support PLAIN via resource owner password grant Might not be supported by the backend but PLAIN is the lowest common denominator, so not having it would lock out a lot of clients.
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 12:45:52 +0100
parents 0a6d2b79a8bf
children d9bc8712a745
comparison
equal deleted inserted replaced
5344:0a6d2b79a8bf 5345:3390bb2f9f6c
5 --- 5 ---
6 6
7 This module provides external authentication via an external [AOuth 7 This module provides external authentication via an external [AOuth
8 2](https://datatracker.ietf.org/doc/html/rfc7628) authorization server 8 2](https://datatracker.ietf.org/doc/html/rfc7628) authorization server
9 and supports the [SASL OAUTHBEARER authentication][rfc7628] 9 and supports the [SASL OAUTHBEARER authentication][rfc7628]
10 mechanism. 10 mechanism as well as PLAIN for legacy clients (this is all of them).
11 11
12 # How it works 12 # How it works
13 13
14 Clients retrieve tokens somehow, then show them to Prosody, which asks 14 Clients retrieve tokens somehow, then show them to Prosody, which asks
15 the Authorization server to validate them, returning info about the user 15 the Authorization server to validate them, returning info about the user
16 back to Prosody. 16 back to Prosody.
17
18 Alternatively for legacy clients, Prosody receives the users username
19 and password and retrieves a token itself, then proceeds as above.
17 20
18 # Configuration 21 # Configuration
19 22
20 `oauth_external_discovery_url` 23 `oauth_external_discovery_url`
21 : Optional URL string pointing to [OAuth 2.0 Authorization Server 24 : Optional URL string pointing to [OAuth 2.0 Authorization Server
33 `oauth_external_username_field` 36 `oauth_external_username_field`
34 : String. Default is `"preferred_username"`. Field in the JSON 37 : String. Default is `"preferred_username"`. Field in the JSON
35 structure returned by the validation endpoint that contains the XMPP 38 structure returned by the validation endpoint that contains the XMPP
36 localpart. 39 localpart.
37 40
41 ## For SASL PLAIN
42
43 `oauth_external_resource_owner_password`
44 : Boolean. Defaults to `true`. Whether to allow the *insecure*
45 resource owner password grant and SASL PLAIN.
46
47 `oauth_external_token_endpoint`
48 : URL string. OAuth 2 [Token
49 Endpoint](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) used
50 to retrieve token in order to then retrieve the username.
51
52 `oauth_external_client_id`
53 : String. Client ID used to identify Prosody during the resource owner
54 password grant.
55
38 # Compatibility 56 # Compatibility
39 57
40 Version Status 58 Version Status
41 --------- --------------- 59 --------- ---------------
42 trunk works 60 trunk works