Mercurial > prosody-modules
comparison mod_auth_oauth_external/README.md @ 6527:6f2f21b00233
mod_auth_oauth_external: Expand descriptions of settings
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 02 May 2026 16:26:31 +0200 |
| parents | d454eae0d8ef |
| children |
comparison
equal
deleted
inserted
replaced
| 6526:1216f6befbe7 | 6527:6f2f21b00233 |
|---|---|
| 48 oauth_external_username_field = "username" | 48 oauth_external_username_field = "username" |
| 49 oauth_external_scope = "read:accounts" | 49 oauth_external_scope = "read:accounts" |
| 50 oauth_external_resource_owner_password = true | 50 oauth_external_resource_owner_password = true |
| 51 ``` | 51 ``` |
| 52 | 52 |
| 53 | 53 ## Settings |
| 54 ## Common | |
| 55 | 54 |
| 56 `oauth_external_issuer` | 55 `oauth_external_issuer` |
| 57 : Optional URL string representing the Authorization server identity. | 56 : Optional URL string representing the Authorization server identity. |
| 58 | 57 |
| 59 `oauth_external_discovery_url` | 58 `oauth_external_discovery_url` |
| 60 : Optional URL string pointing to [OAuth 2.0 Authorization Server | 59 : Optional URL string pointing to [OAuth 2.0 Authorization Server |
| 61 Metadata](https://oauth.net/2/authorization-server-metadata/). Lets | 60 Metadata](https://oauth.net/2/authorization-server-metadata/). Lets |
| 62 clients discover where they should retrieve access tokens from if | 61 clients discover where they should retrieve access tokens from if |
| 63 they don't have one yet. Default based on `oauth_external_issuer` is | 62 they don't have one yet. Defaults to |
| 64 set, otherwise empty. | 63 `issuer_identity + "/.well-known/oauth-authorization-server"` when |
| 64 `oauth_external_issuer` is set, otherwise unset. | |
| 65 | 65 |
| 66 `oauth_external_validation_endpoint` | 66 `oauth_external_validation_endpoint` |
| 67 : URL string. The token validation endpoint, should validate the token | 67 : URL string. The token validation endpoint, should validate the token |
| 68 and return a JSON structure containing the username of the user | 68 and return a JSON structure containing the username of the user |
| 69 logging in the field specified by `oauth_external_username_field`. | 69 logging in the field specified by `oauth_external_username_field`. |
| 70 Commonly the [OpenID `UserInfo` | 70 Required for SASL OAUTHBEARER. For SASL PLAIN, enables username |
| 71 lookup. Commonly the [OpenID `UserInfo` | |
| 71 endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) | 72 endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) |
| 72 If left unset, only `SASL PLAIN` is supported and the username | 73 If left unset, only `SASL PLAIN` is supported and the username |
| 73 provided there is assumed correct. | 74 provided there is assumed correct. |
| 74 | 75 |
| 75 `oauth_external_username_field` | 76 `oauth_external_username_field` |
| 76 : String. Default is `"preferred_username"`. Field in the JSON | 77 : String. Default is `"preferred_username"`. Field in the JSON |
| 77 structure returned by the validation endpoint that contains the XMPP | 78 structure returned by the validation endpoint that to be used as the |
| 78 localpart. | 79 XMPP localpart. |
| 79 | |
| 80 ## For SASL PLAIN | |
| 81 | 80 |
| 82 `oauth_external_resource_owner_password` | 81 `oauth_external_resource_owner_password` |
| 83 : Boolean. Defaults to `true`. Whether to allow the *insecure* | 82 : Boolean. Defaults to `true`. Enables SASL PLAIN for legacy XMPP |
| 84 [resource owner password | 83 clients via the [resource owner password |
| 85 grant](https://oauth.net/2/grant-types/password/) and SASL PLAIN. | 84 grant](https://oauth.net/2/grant-types/password/) *(considered |
| 85 insecure)*. | |
| 86 | 86 |
| 87 `oauth_external_token_endpoint` | 87 `oauth_external_token_endpoint` |
| 88 : URL string. OAuth 2 [Token | 88 : URL string. OAuth 2 [Token |
| 89 Endpoint](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) used | 89 Endpoint](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) used |
| 90 to retrieve token in order to then retrieve the username. | 90 to validate credentials passed via SASL PLAIN. |
| 91 | 91 |
| 92 `oauth_external_client_id` | 92 `oauth_external_client_id` |
| 93 : String. Client ID used to identify Prosody during the resource owner | 93 : String. Client ID used to identify Prosody in the resource owner |
| 94 password grant. | 94 password grant. |
| 95 | 95 |
| 96 `oauth_external_client_secret` | 96 `oauth_external_client_secret` |
| 97 : String. Client secret used to identify Prosody during the resource | 97 : String. Client secret used to identify Prosody in the resource owner |
| 98 owner password grant. | 98 password grant. |
| 99 | 99 |
| 100 `oauth_external_scope` | 100 `oauth_external_scope` |
| 101 : String. Defaults to `"openid"`. Included in request for resource | 101 : String. Defaults to `"openid"`. Included in request for resource |
| 102 owner password grant. | 102 owner password grant. |
| 103 | 103 |
