# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1686095483 -7200
# Node ID ef1ae63907428108c49abbd52c9b901fda7e31b0
# Parent  67448e67770637a873a86b913ecc8a69b83cdb39
mod_http_oauth2: Add some words about supported flows and defaults

diff -r 67448e677706 -r ef1ae6390742 mod_http_oauth2/README.markdown
--- a/mod_http_oauth2/README.markdown	Wed Jun 07 01:43:35 2023 +0200
+++ b/mod_http_oauth2/README.markdown	Wed Jun 07 01:51:23 2023 +0200
@@ -175,10 +175,16 @@
 
 ### Supported flows
 
+-   Authorization Code grant, optionally with Proof Key for Code Exchange
+-   Resource owner password grant
+-   Implicit flow *(disabled by default)*
+-   Refresh Token grants
+
 Various flows can be disabled and enabled with
 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`:
 
 ```lua
+-- These examples reflect the defaults
 allowed_oauth2_grant_types = {
 	"authorization_code"; -- authorization code grant
 	"password"; -- resource owner password grant
@@ -190,16 +196,17 @@
 }
 ```
 
-The [Proof Key for Code Exchange][RFC 7636] mitigation method can be
-made required:
+The [Proof Key for Code Exchange][RFC 7636] mitigation method is
+optional by default but can be made required:
 
 ```lua
-oauth2_require_code_challenge = true
+oauth2_require_code_challenge = true -- default is false
 ```
 
 Further, individual challenge methods can be enabled or disabled:
 
 ```lua
+-- These reflects the default
 allowed_oauth2_code_challenge_methods = {
     "plain"; -- the insecure one
     "S256";
@@ -214,6 +221,7 @@
 ```lua
 oauth2_terms_url = "https://example.com/terms-of-service.html"
 oauth2_policy_url = "https://example.com/service-policy.pdf"
+-- These are unset by default
 ```
 
 ## Deployment notes