Mercurial > prosody-modules
view mod_auth_oauth_external/README.md @ 6545:3b605bfc94aa
mod_storage_xmlarchive: Fix purge method (thanks MattJ)
Was returning after reaching the inner loop without proceeding
to inspect other stores.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 24 May 2026 19:15:11 +0200 |
| parents | 6f2f21b00233 |
| children |
line wrap: on
line source
--- summary: Authenticate against an external OAuth 2 IdP labels: - Stage-Alpha --- This module provides external authentication via an external [OAuth 2](https://datatracker.ietf.org/doc/html/rfc7628) authorization server and supports the [SASL OAUTHBEARER authentication][rfc7628] mechanism as well as PLAIN for legacy clients (this is all of them). # How it works Using OAuth 2.0 in XMPP is explained in [XEP-0493: OAuth Client Login]. Clients pass tokens from the Authorization Server to Prosody, which attempts to validate the tokens using the configured validation endpoint. Legacy clients have to use SASL PLAIN, where Prosody receives the users username and password and attempts to validate this using the OAuth 2 resource owner password grant. # Configuration ## Example ### KeyCloak example ```lua VirtualHost "example.net" authentication = "oauth_external" -- KeyCloak URLs oauth_external_discovery_url = "https://auth.example.com/auth/realms/ExampleRealm/.well-known/openid-configuration" oauth_external_token_endpoint = "https://auth.example.com/auth/realms/ExampleRealm/protocol/openid-connect/token" oauth_external_validation_endpoint = "https://auth.example.com/auth/realms/ExampleRealm/protocol/openid-connect/userinfo" oauth_external_username_field = "xmpp_username" ``` ### Mastodon Example ```lua VirtualHost "example.net" authentication = "oauth_external" oauth_external_token_endpoint = "https://mastodon.example/oauth/token" oauth_external_validation_endpoint = "https://mastodon.example/api/v1/accounts/verify_credentials" oauth_external_username_field = "username" oauth_external_scope = "read:accounts" oauth_external_resource_owner_password = true ``` ## Settings `oauth_external_issuer` : Optional URL string representing the Authorization server identity. `oauth_external_discovery_url` : Optional URL string pointing to [OAuth 2.0 Authorization Server Metadata](https://oauth.net/2/authorization-server-metadata/). Lets clients discover where they should retrieve access tokens from if they don't have one yet. Defaults to `issuer_identity + "/.well-known/oauth-authorization-server"` when `oauth_external_issuer` is set, otherwise unset. `oauth_external_validation_endpoint` : URL string. The token validation endpoint, should validate the token and return a JSON structure containing the username of the user logging in the field specified by `oauth_external_username_field`. Required for SASL OAUTHBEARER. For SASL PLAIN, enables username lookup. Commonly the [OpenID `UserInfo` endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) If left unset, only `SASL PLAIN` is supported and the username provided there is assumed correct. `oauth_external_username_field` : String. Default is `"preferred_username"`. Field in the JSON structure returned by the validation endpoint that to be used as the XMPP localpart. `oauth_external_resource_owner_password` : Boolean. Defaults to `true`. Enables SASL PLAIN for legacy XMPP clients via the [resource owner password grant](https://oauth.net/2/grant-types/password/) *(considered insecure)*. `oauth_external_token_endpoint` : URL string. OAuth 2 [Token Endpoint](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) used to validate credentials passed via SASL PLAIN. `oauth_external_client_id` : String. Client ID used to identify Prosody in the resource owner password grant. `oauth_external_client_secret` : String. Client secret used to identify Prosody in the resource owner password grant. `oauth_external_scope` : String. Defaults to `"openid"`. Included in request for resource owner password grant. # Compatibility ## Prosody Version Status --------- ----------------------------------------------- trunk works 13.0.x works 0.12.x OAUTHBEARER will not work, otherwise untested 0.11.x OAUTHBEARER will not work, otherwise untested ## Identity Provider Tested with - [KeyCloak](https://www.keycloak.org/) - [Mastodon](https://joinmastodon.org/) # Future work - Automatically discover endpoints from Discovery URL - Configurable input username mapping (e.g. user → user@host). - [SCRAM over HTTP?!][rfc7804]
