# HG changeset patch # User Kim Alvefur # Date 1700000359 -3600 # Node ID 426c42c11f8937bdc54c6d3991c0a8cf1c3e7beb # Parent 8488ebde57398db9254198d437b8dd1cdd8146d8 mod_http_oauth2: Make defaults more secure This should be fine since we don't have a lot of clients to be backwards-compatible with. diff -r 8488ebde5739 -r 426c42c11f89 mod_http_oauth2/README.markdown --- a/mod_http_oauth2/README.markdown Tue Nov 14 23:03:37 2023 +0100 +++ b/mod_http_oauth2/README.markdown Tue Nov 14 23:19:19 2023 +0100 @@ -224,10 +224,10 @@ ``` The [Proof Key for Code Exchange][RFC 7636] mitigation method is -optional by default but can be made required: +required by default but can be made optional: ```lua -oauth2_require_code_challenge = true -- default is false +oauth2_require_code_challenge = false -- default is true ``` Further, individual challenge methods can be enabled or disabled: @@ -235,7 +235,7 @@ ```lua -- These reflects the default allowed_oauth2_code_challenge_methods = { - "plain"; -- the insecure one + -- "plain"; -- insecure but backwards-compatible "S256"; } ``` diff -r 8488ebde5739 -r 426c42c11f89 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Tue Nov 14 23:03:37 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Nov 14 23:19:19 2023 +0100 @@ -111,9 +111,8 @@ local registration_options = module:get_option("oauth2_registration_options", { default_ttl = registration_ttl; accept_expired = not registration_ttl }); --- Flip these for Extra Security! -local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); -local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", true); +local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", true); +local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", false); local verification_key; local sign_client, verify_client; @@ -755,7 +754,6 @@ local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", { "authorization_code"; - "password"; -- TODO Disable. The resource owner password credentials grant [RFC6749] MUST NOT be used. "refresh_token"; device_uri; }) @@ -785,7 +783,7 @@ end end -local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" }) +local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "S256" }) for handler_type in pairs(verifier_transforms) do if not allowed_challenge_methods:contains(handler_type) then module:log("debug", "Challenge method %q disabled", handler_type);