# HG changeset patch # User Kim Alvefur # Date 1686095483 -7200 # Node ID ef1ae63907428108c49abbd52c9b901fda7e31b0 # Parent 67448e67770637a873a86b913ecc8a69b83cdb39 mod_http_oauth2: Add some words about supported flows and defaults diff -r 67448e677706 -r ef1ae6390742 mod_http_oauth2/README.markdown --- a/mod_http_oauth2/README.markdown Wed Jun 07 01:43:35 2023 +0200 +++ b/mod_http_oauth2/README.markdown Wed Jun 07 01:51:23 2023 +0200 @@ -175,10 +175,16 @@ ### Supported flows +- Authorization Code grant, optionally with Proof Key for Code Exchange +- Resource owner password grant +- Implicit flow *(disabled by default)* +- Refresh Token grants + Various flows can be disabled and enabled with `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`: ```lua +-- These examples reflect the defaults allowed_oauth2_grant_types = { "authorization_code"; -- authorization code grant "password"; -- resource owner password grant @@ -190,16 +196,17 @@ } ``` -The [Proof Key for Code Exchange][RFC 7636] mitigation method can be -made required: +The [Proof Key for Code Exchange][RFC 7636] mitigation method is +optional by default but can be made required: ```lua -oauth2_require_code_challenge = true +oauth2_require_code_challenge = true -- default is false ``` Further, individual challenge methods can be enabled or disabled: ```lua +-- These reflects the default allowed_oauth2_code_challenge_methods = { "plain"; -- the insecure one "S256"; @@ -214,6 +221,7 @@ ```lua oauth2_terms_url = "https://example.com/terms-of-service.html" oauth2_policy_url = "https://example.com/service-policy.pdf" +-- These are unset by default ``` ## Deployment notes