From 145dda8c1969cb2263977017578196dd2bd66298 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 3 Jun 2025 01:41:24 +0200 Subject: [PATCH 1/6] Include web portal version in oauth client registration This could be shown in client listings and audit logs, and checked to ensure old versions stop being used. Not the most relevant for the web portal as it is closely tied together with the server, but could help answer questions about where old grants come from. --- snikket_web/prosodyclient.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/snikket_web/prosodyclient.py b/snikket_web/prosodyclient.py index 57eac0c..352805e 100644 --- a/snikket_web/prosodyclient.py +++ b/snikket_web/prosodyclient.py @@ -29,7 +29,7 @@ from flask import g as _app_ctx_stack import werkzeug.exceptions -from . import xmpputil +from . import xmpputil, _version from .xmpputil import split_jid @@ -474,6 +474,7 @@ class ProsodyClient: ], "grant_types": ["password"], "response_types": ["code"], + "software_version": _version.version, } async with self._plain_session as session: async with session.post( From ea75d8e832c1a30fe4fcf6562ee5d65f49513c4d Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 3 Jun 2025 01:41:42 +0200 Subject: [PATCH 2/6] Include requested scopes in oauth client registration This can be used on the oauth server side to enforce that no additional scopes are added. --- snikket_web/prosodyclient.py | 1 + 1 file changed, 1 insertion(+) diff --git a/snikket_web/prosodyclient.py b/snikket_web/prosodyclient.py index 352805e..ef785cd 100644 --- a/snikket_web/prosodyclient.py +++ b/snikket_web/prosodyclient.py @@ -474,6 +474,7 @@ class ProsodyClient: ], "grant_types": ["password"], "response_types": ["code"], + "scope": " ".join([SCOPE_RESTRICTED, SCOPE_DEFAULT, SCOPE_ADMIN]), "software_version": _version.version, } async with self._plain_session as session: From 770d05c72c33e3681004853a08b3898cdae7c00c Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 3 Jun 2025 18:13:25 +0200 Subject: [PATCH 3/6] Declare use of no response types, since password grant uses none Needless restriction removed in https://hg.prosody.im/prosody-modules/rev/ef81c67e1ae7 --- snikket_web/prosodyclient.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snikket_web/prosodyclient.py b/snikket_web/prosodyclient.py index ef785cd..2fbb2bf 100644 --- a/snikket_web/prosodyclient.py +++ b/snikket_web/prosodyclient.py @@ -473,7 +473,7 @@ class ProsodyClient: "https://{}/login_result".format(current_app.config["SNIKKET_DOMAIN"]) ], "grant_types": ["password"], - "response_types": ["code"], + "response_types": [], "scope": " ".join([SCOPE_RESTRICTED, SCOPE_DEFAULT, SCOPE_ADMIN]), "software_version": _version.version, } From 60e663316b201bc40b402ef1fabf68a7cd6dc8d5 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 3 Jun 2025 18:14:27 +0200 Subject: [PATCH 4/6] Declare that oauth client credentials are using POST method Not enforced by mod_http_oauth2, but could be in the future --- snikket_web/prosodyclient.py | 1 + 1 file changed, 1 insertion(+) diff --git a/snikket_web/prosodyclient.py b/snikket_web/prosodyclient.py index 2fbb2bf..4c62532 100644 --- a/snikket_web/prosodyclient.py +++ b/snikket_web/prosodyclient.py @@ -474,6 +474,7 @@ class ProsodyClient: ], "grant_types": ["password"], "response_types": [], + "token_endpoint_auth_method": "client_secret_post", "scope": " ".join([SCOPE_RESTRICTED, SCOPE_DEFAULT, SCOPE_ADMIN]), "software_version": _version.version, } From 9474238deedb7fade785a60b64be63e756229c69 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 3 Jun 2025 18:18:15 +0200 Subject: [PATCH 5/6] Declare as a web application in oauth client registration It is, even if the password grant isn't restricted to that, but if ever the authorization code flow is implemented, it'll be correct. --- snikket_web/prosodyclient.py | 1 + 1 file changed, 1 insertion(+) diff --git a/snikket_web/prosodyclient.py b/snikket_web/prosodyclient.py index 4c62532..84b444b 100644 --- a/snikket_web/prosodyclient.py +++ b/snikket_web/prosodyclient.py @@ -472,6 +472,7 @@ class ProsodyClient: "redirect_uris": [ "https://{}/login_result".format(current_app.config["SNIKKET_DOMAIN"]) ], + "application_type": "web", "grant_types": ["password"], "response_types": [], "token_endpoint_auth_method": "client_secret_post", From 1a65ba61500ad3939be737c60ff7bb291374642c Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 3 Jun 2025 18:18:24 +0200 Subject: [PATCH 6/6] Include a software id in oauth client registration This is supposed to be a unique and persistent identifier for the software itself, regardless of version or deployment instance. Generated from the domain name in the comment using uuid_generate_sha1() --- snikket_web/prosodyclient.py | 1 + 1 file changed, 1 insertion(+) diff --git a/snikket_web/prosodyclient.py b/snikket_web/prosodyclient.py index 84b444b..765ce28 100644 --- a/snikket_web/prosodyclient.py +++ b/snikket_web/prosodyclient.py @@ -477,6 +477,7 @@ class ProsodyClient: "response_types": [], "token_endpoint_auth_method": "client_secret_post", "scope": " ".join([SCOPE_RESTRICTED, SCOPE_DEFAULT, SCOPE_ADMIN]), + "software_id": "22aa246e-4373-51cb-bcaa-9f73bb235b84", # web-portal.snikket.org "software_version": _version.version, } async with self._plain_session as session: