view mod_auth_oauthbearer/README.markdown @ 5549:01a0b67a9afd

mod_http_oauth2: Add TODO about disabling password grant Per recommendation in draft-ietf-oauth-security-topics-23 it should at the very least be disabled by default. However since this is used by the Snikket web portal some care needs to be taken not to break this, unless it's already broken by other changes to this module.
author Kim Alvefur <zash@zash.se>
date Fri, 16 Jun 2023 00:06:53 +0200
parents 1a1affd22f74
children
line wrap: on
line source

---
labels:
- 'Type-Auth'
summary: OAuth authentication
...

Introduction
============

This is an authentication module for the SASL OAUTHBEARER mechanism, as provided by `mod_sasl_oauthbearer`.

You can use this to log in via OAuth, for example if you want your user's to log in with Github, Twitter, Reddit etc.

The XMPP client needs get an OAuth token from the provider (e.g. Github) and send that to Prosody.
This module will then verify that token by calling the `oauth_url` you've configured.

Configuration
=============

Per VirtualHost, you'll need to supply your OAuth client Id, secret and the URL which
Prosody must call in order to verify the OAuth token it receives from the XMPP client.

For example, for Github:

	oauth_client_id = "13f8e9cc8928b3409822"
	oauth_client_secret = "983161fd3ah608ea7ef35382668aad1927463978"
	oauth_url = "https://api.github.com/applications/{{oauth_client_id}}/tokens/{{password}}";

	authentication = "oauthbearer"