Mercurial > prosody-modules
comparison mod_http_oauth2/README.markdown @ 5716:426c42c11f89
mod_http_oauth2: Make defaults more secure
This should be fine since we don't have a lot of clients to be
backwards-compatible with.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 14 Nov 2023 23:19:19 +0100 |
parents | b43c989fb69c |
children | 761142ee0ff2 |
comparison
equal
deleted
inserted
replaced
5715:8488ebde5739 | 5716:426c42c11f89 |
---|---|
222 -- "token"; -- implicit flow disabled by default | 222 -- "token"; -- implicit flow disabled by default |
223 } | 223 } |
224 ``` | 224 ``` |
225 | 225 |
226 The [Proof Key for Code Exchange][RFC 7636] mitigation method is | 226 The [Proof Key for Code Exchange][RFC 7636] mitigation method is |
227 optional by default but can be made required: | 227 required by default but can be made optional: |
228 | 228 |
229 ```lua | 229 ```lua |
230 oauth2_require_code_challenge = true -- default is false | 230 oauth2_require_code_challenge = false -- default is true |
231 ``` | 231 ``` |
232 | 232 |
233 Further, individual challenge methods can be enabled or disabled: | 233 Further, individual challenge methods can be enabled or disabled: |
234 | 234 |
235 ```lua | 235 ```lua |
236 -- These reflects the default | 236 -- These reflects the default |
237 allowed_oauth2_code_challenge_methods = { | 237 allowed_oauth2_code_challenge_methods = { |
238 "plain"; -- the insecure one | 238 -- "plain"; -- insecure but backwards-compatible |
239 "S256"; | 239 "S256"; |
240 } | 240 } |
241 ``` | 241 ``` |
242 | 242 |
243 ### Policy documents | 243 ### Policy documents |