Mercurial > prosody-modules

view mod_http_oauth2/html/consent.html @ 5682:527c747711f3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.
author Kim Alvefur <zash@zash.se>
date Sun, 29 Oct 2023 11:30:49 +0100
parents 401356232e1b
children 111eeffb6adf
line wrap: on
line source

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>{site_name} - Authorize {client.client_name}</title>
<link rel="stylesheet" href="style.css" />
</head>
<body>
{state.error&
	<dialog open="" class="error">
		<p>{state.error}</p>
		<form method="dialog"><button>dismiss</button></form>
	</dialog>}
	<header>
	<h1>{site_name}</h1>
	</header>
	<main>
	<fieldset>
	<legend>Authorize new application</legend>
	<p>A new application wants to connect to your account.</p>
	<form method="post">
	<dl>
		<dt>Name</dt>
		<dd>{client.client_name}</dd>
		<dt>Website</dt>
		<dd><a href="{client.client_uri}">{client.client_uri}</a></dd>

		{client.tos_uri&
		<dt>Terms of Service</dt>
		<dd><a href="{client.tos_uri}">View terms</a></dd>}

		{client.policy_uri&
		<dt>Policy</dt>
		<dd><a href="{client.policy_uri}">View policy</a></dd>}

		<dt>Requested permissions</dt>
		<dd>{scopes#
			<input class="scope" type="checkbox" id="scope_{idx}" name="scope" value="{item}" checked="" /><label class="scope" for="scope_{idx}">{item}</label>}
		</dd>
	</dl>

	<p>To allow <em>{client.client_name}</em> to access your account
	<em>{state.user.username}@{state.user.host}</em> and associated data,
	select 'Allow'. Otherwise, select 'Deny'.
	</p>

	<input type="hidden" name="user_token" value="{state.user.token}">
	<button type="submit" name="consent" value="denied">Deny</button>
	<button type="submit" name="consent" value="granted">Allow</button>
	</form>
	</fieldset>
	</main>
</body>
</html>