changeset 5716:426c42c11f89

mod_http_oauth2: Make defaults more secure This should be fine since we don't have a lot of clients to be backwards-compatible with.
author Kim Alvefur <zash@zash.se>
date Tue, 14 Nov 2023 23:19:19 +0100
parents 8488ebde5739
children e06af1403a60
files mod_http_oauth2/README.markdown mod_http_oauth2/mod_http_oauth2.lua
diffstat 2 files changed, 6 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown	Tue Nov 14 23:03:37 2023 +0100
+++ b/mod_http_oauth2/README.markdown	Tue Nov 14 23:19:19 2023 +0100
@@ -224,10 +224,10 @@
 ```
 
 The [Proof Key for Code Exchange][RFC 7636] mitigation method is
-optional by default but can be made required:
+required by default but can be made optional:
 
 ```lua
-oauth2_require_code_challenge = true -- default is false
+oauth2_require_code_challenge = false -- default is true
 ```
 
 Further, individual challenge methods can be enabled or disabled:
@@ -235,7 +235,7 @@
 ```lua
 -- These reflects the default
 allowed_oauth2_code_challenge_methods = {
-    "plain"; -- the insecure one
+    -- "plain"; -- insecure but backwards-compatible
     "S256";
 }
 ```
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Nov 14 23:03:37 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Nov 14 23:19:19 2023 +0100
@@ -111,9 +111,8 @@
 local registration_options = module:get_option("oauth2_registration_options",
 	{ default_ttl = registration_ttl; accept_expired = not registration_ttl });
 
--- Flip these for Extra Security!
-local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false);
-local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", true);
+local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", true);
+local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", false);
 
 local verification_key;
 local sign_client, verify_client;
@@ -755,7 +754,6 @@
 
 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {
 	"authorization_code";
-	"password"; -- TODO Disable. The resource owner password credentials grant [RFC6749] MUST NOT be used.
 	"refresh_token";
 	device_uri;
 })
@@ -785,7 +783,7 @@
 	end
 end
 
-local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" })
+local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "S256" })
 for handler_type in pairs(verifier_transforms) do
 	if not allowed_challenge_methods:contains(handler_type) then
 		module:log("debug", "Challenge method %q disabled", handler_type);