Mercurial > prosody-modules
changeset 5521:ef1ae6390742
mod_http_oauth2: Add some words about supported flows and defaults
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 07 Jun 2023 01:51:23 +0200 |
parents | 67448e677706 |
children | e8f46195b292 |
files | mod_http_oauth2/README.markdown |
diffstat | 1 files changed, 11 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown Wed Jun 07 01:43:35 2023 +0200 +++ b/mod_http_oauth2/README.markdown Wed Jun 07 01:51:23 2023 +0200 @@ -175,10 +175,16 @@ ### Supported flows +- Authorization Code grant, optionally with Proof Key for Code Exchange +- Resource owner password grant +- Implicit flow *(disabled by default)* +- Refresh Token grants + Various flows can be disabled and enabled with `allowed_oauth2_grant_types` and `allowed_oauth2_response_types`: ```lua +-- These examples reflect the defaults allowed_oauth2_grant_types = { "authorization_code"; -- authorization code grant "password"; -- resource owner password grant @@ -190,16 +196,17 @@ } ``` -The [Proof Key for Code Exchange][RFC 7636] mitigation method can be -made required: +The [Proof Key for Code Exchange][RFC 7636] mitigation method is +optional by default but can be made required: ```lua -oauth2_require_code_challenge = true +oauth2_require_code_challenge = true -- default is false ``` Further, individual challenge methods can be enabled or disabled: ```lua +-- These reflects the default allowed_oauth2_code_challenge_methods = { "plain"; -- the insecure one "S256"; @@ -214,6 +221,7 @@ ```lua oauth2_terms_url = "https://example.com/terms-of-service.html" oauth2_policy_url = "https://example.com/service-policy.pdf" +-- These are unset by default ``` ## Deployment notes