Mercurial > prosody-modules
comparison mod_http_oauth2/README.markdown @ 5858:761142ee0ff2
mod_http_oauth2: Reflect changes to defaults etc
- Resource owner password grant was disabled by default
- Tokens now include a hash of client_id making it possible to be
reasonable sure that they were issued to a particular client
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 05 Mar 2024 00:32:00 +0100 |
| parents | 426c42c11f89 |
| children |
comparison
equal
deleted
inserted
replaced
| 5857:ff90dad75352 | 5858:761142ee0ff2 |
|---|---|
| 100 | 100 |
| 101 To allow users to connect any compatible software, you should enable dynamic | 101 To allow users to connect any compatible software, you should enable dynamic |
| 102 client registration. | 102 client registration. |
| 103 | 103 |
| 104 Dynamic client registration can be enabled by configuring a JWT key. Algorithm | 104 Dynamic client registration can be enabled by configuring a JWT key. Algorithm |
| 105 defaults to *HS256* lifetime defaults to forever. | 105 defaults to *HS256*, lifetime defaults to forever. |
| 106 | 106 |
| 107 ```lua | 107 ```lua |
| 108 oauth2_registration_key = "securely generated JWT key here" | 108 oauth2_registration_key = "securely generated JWT key here" |
| 109 oauth2_registration_algorithm = "HS256" | 109 oauth2_registration_algorithm = "HS256" |
| 110 oauth2_registration_ttl = nil -- unlimited by default | 110 oauth2_registration_ttl = nil -- unlimited by default |
| 200 | 200 |
| 201 ### Supported flows | 201 ### Supported flows |
| 202 | 202 |
| 203 - Authorization Code grant, optionally with Proof Key for Code Exchange | 203 - Authorization Code grant, optionally with Proof Key for Code Exchange |
| 204 - Device Authorization Grant | 204 - Device Authorization Grant |
| 205 - Resource owner password grant *(likely to be phased out in the future)* | 205 - Resource owner password grant *(disabled by default)* |
| 206 - Implicit flow *(disabled by default)* | 206 - Implicit flow *(disabled by default)* |
| 207 - Refresh Token grants | 207 - Refresh Token grants |
| 208 | 208 |
| 209 Various flows can be disabled and enabled with | 209 Various flows can be disabled and enabled with |
| 210 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`: | 210 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`: |
| 212 ```lua | 212 ```lua |
| 213 -- These examples reflect the defaults | 213 -- These examples reflect the defaults |
| 214 allowed_oauth2_grant_types = { | 214 allowed_oauth2_grant_types = { |
| 215 "authorization_code"; -- authorization code grant | 215 "authorization_code"; -- authorization code grant |
| 216 "device_code"; | 216 "device_code"; |
| 217 "password"; -- resource owner password grant | 217 -- "password"; -- resource owner password grant disabled by default |
| 218 } | 218 } |
| 219 | 219 |
| 220 allowed_oauth2_response_types = { | 220 allowed_oauth2_response_types = { |
| 221 "code"; -- authorization code flow | 221 "code"; -- authorization code flow |
| 222 -- "token"; -- implicit flow disabled by default | 222 -- "token"; -- implicit flow disabled by default |