Mercurial > prosody-modules

comparison mod_http_oauth2/README.markdown @ 5521:ef1ae6390742

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Add some words about supported flows and defaults
author Kim Alvefur <zash@zash.se>
date Wed, 07 Jun 2023 01:51:23 +0200
parents 67448e677706
children fcef6263acdb
comparison
equal deleted inserted replaced
5520:67448e677706 5521:ef1ae6390742
173 ' 173 '
174 ``` 174 ```
175 175
176 ### Supported flows 176 ### Supported flows
177 177
178 - Authorization Code grant, optionally with Proof Key for Code Exchange
179 - Resource owner password grant
180 - Implicit flow *(disabled by default)*
181 - Refresh Token grants
182
178 Various flows can be disabled and enabled with 183 Various flows can be disabled and enabled with
179 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`: 184 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`:
180 185
181 ```lua 186 ```lua
187 -- These examples reflect the defaults
182 allowed_oauth2_grant_types = { 188 allowed_oauth2_grant_types = {
183 "authorization_code"; -- authorization code grant 189 "authorization_code"; -- authorization code grant
184 "password"; -- resource owner password grant 190 "password"; -- resource owner password grant
185 } 191 }
186 192
188 "code"; -- authorization code flow 194 "code"; -- authorization code flow
189 -- "token"; -- implicit flow disabled by default 195 -- "token"; -- implicit flow disabled by default
190 } 196 }
191 ``` 197 ```
192 198
193 The [Proof Key for Code Exchange][RFC 7636] mitigation method can be 199 The [Proof Key for Code Exchange][RFC 7636] mitigation method is
194 made required: 200 optional by default but can be made required:
195 201
196 ```lua 202 ```lua
197 oauth2_require_code_challenge = true 203 oauth2_require_code_challenge = true -- default is false
198 ``` 204 ```
199 205
200 Further, individual challenge methods can be enabled or disabled: 206 Further, individual challenge methods can be enabled or disabled:
201 207
202 ```lua 208 ```lua
209 -- These reflects the default
203 allowed_oauth2_code_challenge_methods = { 210 allowed_oauth2_code_challenge_methods = {
204 "plain"; -- the insecure one 211 "plain"; -- the insecure one
205 "S256"; 212 "S256";
206 } 213 }
207 ``` 214 ```
212 for use by OAuth clients: 219 for use by OAuth clients:
213 220
214 ```lua 221 ```lua
215 oauth2_terms_url = "https://example.com/terms-of-service.html" 222 oauth2_terms_url = "https://example.com/terms-of-service.html"
216 oauth2_policy_url = "https://example.com/service-policy.pdf" 223 oauth2_policy_url = "https://example.com/service-policy.pdf"
224 -- These are unset by default
217 ``` 225 ```
218 226
219 ## Deployment notes 227 ## Deployment notes
220 228
221 ### Access management 229 ### Access management