Mercurial > prosody-modules

view mod_client_proxy/README.markdown @ 5193:2bb29ece216b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Implement stateless dynamic client registration Replaces previous explicit registration that required either the additional module mod_adhoc_oauth2_client or manually editing the database. That method was enough to have something to test with, but would not probably not scale easily. Dynamic client registration allows creating clients on the fly, which may be even easier in theory. In order to not allow basically unauthenticated writes to the database, we implement a stateless model here. per_host_key := HMAC(config -> oauth2_registration_key, hostname) client_id := JWT { client metadata } signed with per_host_key client_secret := HMAC(per_host_key, client_id) This should ensure everything we need to know is part of the client_id, allowing redirects etc to be validated, and the client_secret can be validated with only the client_id and the per_host_key. A nonce injected into the client_id JWT should ensure nobody can submit the same client metadata and retrieve the same client_secret
author Kim Alvefur <zash@zash.se>
date Fri, 03 Mar 2023 21:14:19 +0100
parents 3dd7840cb923
children
line wrap: on
line source

---
labels:
- 'Stage-Alpha'
summary: 'Proxy multiple client resources behind a single component'
...

What it does
============

This module must be used as a component. For example:

    Component "proxy.domain.example" "client_proxy"
        target_address = "some-user@some-domain.example"

All IQ requests against the proxy host (in the above example:
proxy.domain.example) are sent to a random resource of the target address (in
the above example: some-user@some-domain.example). The entity behind the
target address is called the "implementing client".

The IQ requests are JAT-ed (JAT: Jabber Address Translation) so that when the
implementing client answers the IQ request, it is sent back to the component,
which reverts the translation and routes the reply back to the user.

Let us assume that user@some-domain.example sends a request. The
proxy.domain.example component has the client_proxy module loaded and proxies to
some-user@some-domain.example. some-user@some-domain.example has two resources,
/a and /b.

    user -> component:
        <iq type='get' id='1234' to='proxy.domain.example' from='user@some-domain.example/abc'>
    component -> implementing client:
        <iq type='get' id='1234' to='some-user@some-domain.example/a' from='proxy.domain.example/encoded-from'>
    implementing client -> component:
        <iq type='result' id='1234' to='proxy.domain.example/encoded-from' from='some-user@some-domain.example/a'>
    component -> user:
        <iq type='result' id='1234' to='user@some-domain.example/abc' from='proxy.domain.example'>

The encoded-from resource used in the exchange between the proxy component
and the implementing client is an implementation-defined string which allows
the proxy component to revert the JAT.


Use cases
=========

* Implementation of services within clients instead of components, thus making
  use of the more advanced authentication features.
* Load-balancing requests to different client resources.
* General evilness


Configuration
=============

To use this module, it needs to be loaded on a component:

    Component "proxy.yourdomain.example" "client_proxy"
        target_address = "implementation@yourdomain.example"

It will then send a subscription request to implementation@yourdomain.example
which MUST be accepted: this is required so that the component can detect the
resources to which IQ requests can be dispatched.


Limitations
===========

* It does not handle presence or message stanzas.
* It does not allow the implementing client to initiate IQ requests