changeset 6527:6f2f21b00233

mod_auth_oauth_external: Expand descriptions of settings
author Kim Alvefur <zash@zash.se>
date Sat, 02 May 2026 16:26:31 +0200
parents 1216f6befbe7
children 6241b2f5e92f
files mod_auth_oauth_external/README.md
diffstat 1 files changed, 16 insertions(+), 16 deletions(-) [+]
line wrap: on
line diff
--- a/mod_auth_oauth_external/README.md	Sat May 02 16:13:35 2026 +0200
+++ b/mod_auth_oauth_external/README.md	Sat May 02 16:26:31 2026 +0200
@@ -50,8 +50,7 @@
 oauth_external_resource_owner_password = true
 ```
 
-
-## Common
+## Settings
 
 `oauth_external_issuer`
 :   Optional URL string representing the Authorization server identity.
@@ -60,42 +59,43 @@
 :   Optional URL string pointing to [OAuth 2.0 Authorization Server
     Metadata](https://oauth.net/2/authorization-server-metadata/). Lets
     clients discover where they should retrieve access tokens from if
-    they don't have one yet. Default based on `oauth_external_issuer` is
-    set, otherwise empty.
+    they don't have one yet. Defaults to
+    `issuer_identity + "/.well-known/oauth-authorization-server"` when
+    `oauth_external_issuer` is set, otherwise unset.
 
 `oauth_external_validation_endpoint`
 :   URL string. The token validation endpoint, should validate the token
     and return a JSON structure containing the username of the user
     logging in the field specified by `oauth_external_username_field`.
-    Commonly the [OpenID `UserInfo`
+    Required for SASL OAUTHBEARER. For SASL PLAIN, enables username
+    lookup. Commonly the [OpenID `UserInfo`
     endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
     If left unset, only `SASL PLAIN` is supported and the username
     provided there is assumed correct.
 
 `oauth_external_username_field`
 :   String. Default is `"preferred_username"`. Field in the JSON
-    structure returned by the validation endpoint that contains the XMPP
-    localpart.
-
-## For SASL PLAIN
+    structure returned by the validation endpoint that to be used as the
+    XMPP localpart.
 
 `oauth_external_resource_owner_password`
-:   Boolean. Defaults to `true`. Whether to allow the *insecure*
-    [resource owner password
-    grant](https://oauth.net/2/grant-types/password/) and SASL PLAIN.
+:   Boolean. Defaults to `true`. Enables SASL PLAIN for legacy XMPP
+    clients via the [resource owner password
+    grant](https://oauth.net/2/grant-types/password/) *(considered
+    insecure)*.
 
 `oauth_external_token_endpoint`
 :   URL string. OAuth 2 [Token
     Endpoint](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) used
-    to retrieve token in order to then retrieve the username.
+    to validate credentials passed via SASL PLAIN.
 
 `oauth_external_client_id`
-:   String. Client ID used to identify Prosody during the resource owner
+:   String. Client ID used to identify Prosody in the resource owner
     password grant.
 
 `oauth_external_client_secret`
-:   String. Client secret used to identify Prosody during the resource
-    owner password grant.
+:   String. Client secret used to identify Prosody in the resource owner
+    password grant.
 
 `oauth_external_scope`
 :   String. Defaults to `"openid"`. Included in request for resource