Mercurial > prosody-modules
view mod_invites_page/README.markdown @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 21:14:19 +0100 |
| parents | 027fb71ad509 |
| children |
line wrap: on
line source
--- labels: - 'Stage-Beta' summary: 'Generate friendly web page for invitations' rockspec: dependencies: - mod_register_apps build: copy_directories: - html - static ... Introduction ============ This module is part of the suite of modules that implement invite-based account registration for Prosody. The other modules are: - [mod_invites] - [mod_invites_adhoc] - [mod_invites_register] - [mod_invites_register_web] - [mod_invites_api] - [mod_register_apps] For details and a full overview, start with the [mod_invites] documentation. Details ======= mod_invites_page provides a unique web page for each generated invitation. Without this module, Prosody will only be able to generate invite links as `xmpp:` URIs (they look something like `xmpp:example.com?register;preauth=29Xbxr91`). URIs will only work if the invited user already has an XMPP client installed. This is usually not the case. This module transforms the URI into a friendly web page that can be shared via any method (email, SMS, etc.), and opened in any browser. The page explains the invitation and guides the user to set up their account using one of a configurable list of XMPP clients (to configure the list, see mod_register_apps documentation). Configuration ============= | Name | Description | Default | |---------------------------|--------------------------------------------------------------------------------|-----------------------------------------------------| | invites_page | The format of an invite page URL (must begin with `https://`) | `"https://{host}:5281/invites_page?{invite.token}"` | | invites_registration_page | The format of an invite registration page URL (may be relative to invites_page)| `"register?t={invite.token}&c={app.id}"` | | site_name | The friendly name of the server | `"example.com"` | | invites_page_external | Set this to true if your invitation pages will be rendered by something else | `false` | The `invites_page` and `invites_registration_page` options are templates that support a number of variables. The most useful being `{host}` and `{invite.token}`. All the usual [HTTP configuration options](https://prosody.im/doc/http) can be used to configure this module. In particular, if you run Prosody behind a reverse proxy such as nginx or Apache, you will probably want to set `http_external_url` so that Prosody knows what URLs should look like for users. If you want to disable this module's built-in pages and use an external invitation page generator (such as [ge0rg/easy-xmpp-invitation](https://github.com/ge0rg/easy-xmpp-invitation) then set `invites_page_external = true` and set `invites_page` to the appropriate URL for your installation.