Mercurial > prosody-modules
comparison mod_auth_oauth_external/README.md @ 5345:3390bb2f9f6c
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Might not be supported by the backend but PLAIN is the lowest common
denominator, so not having it would lock out a lot of clients.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 16 Mar 2023 12:45:52 +0100 |
| parents | 0a6d2b79a8bf |
| children | d9bc8712a745 |
comparison
equal
deleted
inserted
replaced
| 5344:0a6d2b79a8bf | 5345:3390bb2f9f6c |
|---|---|
| 5 --- | 5 --- |
| 6 | 6 |
| 7 This module provides external authentication via an external [AOuth | 7 This module provides external authentication via an external [AOuth |
| 8 2](https://datatracker.ietf.org/doc/html/rfc7628) authorization server | 8 2](https://datatracker.ietf.org/doc/html/rfc7628) authorization server |
| 9 and supports the [SASL OAUTHBEARER authentication][rfc7628] | 9 and supports the [SASL OAUTHBEARER authentication][rfc7628] |
| 10 mechanism. | 10 mechanism as well as PLAIN for legacy clients (this is all of them). |
| 11 | 11 |
| 12 # How it works | 12 # How it works |
| 13 | 13 |
| 14 Clients retrieve tokens somehow, then show them to Prosody, which asks | 14 Clients retrieve tokens somehow, then show them to Prosody, which asks |
| 15 the Authorization server to validate them, returning info about the user | 15 the Authorization server to validate them, returning info about the user |
| 16 back to Prosody. | 16 back to Prosody. |
| 17 | |
| 18 Alternatively for legacy clients, Prosody receives the users username | |
| 19 and password and retrieves a token itself, then proceeds as above. | |
| 17 | 20 |
| 18 # Configuration | 21 # Configuration |
| 19 | 22 |
| 20 `oauth_external_discovery_url` | 23 `oauth_external_discovery_url` |
| 21 : Optional URL string pointing to [OAuth 2.0 Authorization Server | 24 : Optional URL string pointing to [OAuth 2.0 Authorization Server |
| 33 `oauth_external_username_field` | 36 `oauth_external_username_field` |
| 34 : String. Default is `"preferred_username"`. Field in the JSON | 37 : String. Default is `"preferred_username"`. Field in the JSON |
| 35 structure returned by the validation endpoint that contains the XMPP | 38 structure returned by the validation endpoint that contains the XMPP |
| 36 localpart. | 39 localpart. |
| 37 | 40 |
| 41 ## For SASL PLAIN | |
| 42 | |
| 43 `oauth_external_resource_owner_password` | |
| 44 : Boolean. Defaults to `true`. Whether to allow the *insecure* | |
| 45 resource owner password grant and SASL PLAIN. | |
| 46 | |
| 47 `oauth_external_token_endpoint` | |
| 48 : URL string. OAuth 2 [Token | |
| 49 Endpoint](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) used | |
| 50 to retrieve token in order to then retrieve the username. | |
| 51 | |
| 52 `oauth_external_client_id` | |
| 53 : String. Client ID used to identify Prosody during the resource owner | |
| 54 password grant. | |
| 55 | |
| 38 # Compatibility | 56 # Compatibility |
| 39 | 57 |
| 40 Version Status | 58 Version Status |
| 41 --------- --------------- | 59 --------- --------------- |
| 42 trunk works | 60 trunk works |