Mercurial > prosody-modules
comparison mod_http_oauth2/README.markdown @ 5716:426c42c11f89
mod_http_oauth2: Make defaults more secure
This should be fine since we don't have a lot of clients to be
backwards-compatible with.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 14 Nov 2023 23:19:19 +0100 |
| parents | b43c989fb69c |
| children |
comparison
equal
deleted
inserted
replaced
| 5715:8488ebde5739 | 5716:426c42c11f89 |
|---|---|
| 222 -- "token"; -- implicit flow disabled by default | 222 -- "token"; -- implicit flow disabled by default |
| 223 } | 223 } |
| 224 ``` | 224 ``` |
| 225 | 225 |
| 226 The [Proof Key for Code Exchange][RFC 7636] mitigation method is | 226 The [Proof Key for Code Exchange][RFC 7636] mitigation method is |
| 227 optional by default but can be made required: | 227 required by default but can be made optional: |
| 228 | 228 |
| 229 ```lua | 229 ```lua |
| 230 oauth2_require_code_challenge = true -- default is false | 230 oauth2_require_code_challenge = false -- default is true |
| 231 ``` | 231 ``` |
| 232 | 232 |
| 233 Further, individual challenge methods can be enabled or disabled: | 233 Further, individual challenge methods can be enabled or disabled: |
| 234 | 234 |
| 235 ```lua | 235 ```lua |
| 236 -- These reflects the default | 236 -- These reflects the default |
| 237 allowed_oauth2_code_challenge_methods = { | 237 allowed_oauth2_code_challenge_methods = { |
| 238 "plain"; -- the insecure one | 238 -- "plain"; -- insecure but backwards-compatible |
| 239 "S256"; | 239 "S256"; |
| 240 } | 240 } |
| 241 ``` | 241 ``` |
| 242 | 242 |
| 243 ### Policy documents | 243 ### Policy documents |