changeset 5521:ef1ae6390742

mod_http_oauth2: Add some words about supported flows and defaults
author Kim Alvefur <zash@zash.se>
date Wed, 07 Jun 2023 01:51:23 +0200
parents 67448e677706
children e8f46195b292
files mod_http_oauth2/README.markdown
diffstat 1 files changed, 11 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown	Wed Jun 07 01:43:35 2023 +0200
+++ b/mod_http_oauth2/README.markdown	Wed Jun 07 01:51:23 2023 +0200
@@ -175,10 +175,16 @@
 
 ### Supported flows
 
+-   Authorization Code grant, optionally with Proof Key for Code Exchange
+-   Resource owner password grant
+-   Implicit flow *(disabled by default)*
+-   Refresh Token grants
+
 Various flows can be disabled and enabled with
 `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`:
 
 ```lua
+-- These examples reflect the defaults
 allowed_oauth2_grant_types = {
 	"authorization_code"; -- authorization code grant
 	"password"; -- resource owner password grant
@@ -190,16 +196,17 @@
 }
 ```
 
-The [Proof Key for Code Exchange][RFC 7636] mitigation method can be
-made required:
+The [Proof Key for Code Exchange][RFC 7636] mitigation method is
+optional by default but can be made required:
 
 ```lua
-oauth2_require_code_challenge = true
+oauth2_require_code_challenge = true -- default is false
 ```
 
 Further, individual challenge methods can be enabled or disabled:
 
 ```lua
+-- These reflects the default
 allowed_oauth2_code_challenge_methods = {
     "plain"; -- the insecure one
     "S256";
@@ -214,6 +221,7 @@
 ```lua
 oauth2_terms_url = "https://example.com/terms-of-service.html"
 oauth2_policy_url = "https://example.com/service-policy.pdf"
+-- These are unset by default
 ```
 
 ## Deployment notes