comparison mod_http_oauth2/README.markdown @ 5716:426c42c11f89

mod_http_oauth2: Make defaults more secure This should be fine since we don't have a lot of clients to be backwards-compatible with.
author Kim Alvefur <zash@zash.se>
date Tue, 14 Nov 2023 23:19:19 +0100
parents b43c989fb69c
children 761142ee0ff2
comparison
equal deleted inserted replaced
5715:8488ebde5739 5716:426c42c11f89
222 -- "token"; -- implicit flow disabled by default 222 -- "token"; -- implicit flow disabled by default
223 } 223 }
224 ``` 224 ```
225 225
226 The [Proof Key for Code Exchange][RFC 7636] mitigation method is 226 The [Proof Key for Code Exchange][RFC 7636] mitigation method is
227 optional by default but can be made required: 227 required by default but can be made optional:
228 228
229 ```lua 229 ```lua
230 oauth2_require_code_challenge = true -- default is false 230 oauth2_require_code_challenge = false -- default is true
231 ``` 231 ```
232 232
233 Further, individual challenge methods can be enabled or disabled: 233 Further, individual challenge methods can be enabled or disabled:
234 234
235 ```lua 235 ```lua
236 -- These reflects the default 236 -- These reflects the default
237 allowed_oauth2_code_challenge_methods = { 237 allowed_oauth2_code_challenge_methods = {
238 "plain"; -- the insecure one 238 -- "plain"; -- insecure but backwards-compatible
239 "S256"; 239 "S256";
240 } 240 }
241 ``` 241 ```
242 242
243 ### Policy documents 243 ### Policy documents