Merge pull request #202 from snikket-im/ka/oauthtweaks

OAuth tweaks
Include a software id in oauth client registration
2025-06-05 17:55:56 +01:00 · 2025-06-05 17:52:04 +01:00 · 2025-06-05 17:52:01 +01:00 · 2025-06-05 17:50:52 +01:00 · 2025-06-05 17:50:52 +01:00 · 2025-06-05 17:50:52 +01:00
1 changed files with 7 additions and 2 deletions
--- a/snikket_web/prosodyclient.py
+++ b/snikket_web/prosodyclient.py
@@ -29,7 +29,7 @@ from flask import g as _app_ctx_stack

 import werkzeug.exceptions

-from . import xmpputil
+from . import xmpputil, _version
 from .xmpputil import split_jid


@@ -472,8 +472,13 @@ class ProsodyClient:
            "redirect_uris": [
                "https://{}/login_result".format(current_app.config["SNIKKET_DOMAIN"])
            ],
+            "application_type": "web",
            "grant_types": ["password"],
-            "response_types": ["code"],
+            "response_types": [],
+            "token_endpoint_auth_method": "client_secret_post",
+            "scope": " ".join([SCOPE_RESTRICTED, SCOPE_DEFAULT, SCOPE_ADMIN]),
+            "software_id": "22aa246e-4373-51cb-bcaa-9f73bb235b84",  # web-portal.snikket.org
+            "software_version": _version.version,
        }
        async with self._plain_session as session:
            async with session.post(
Author	SHA1	Message	Date
Matthew Wild	488dc9a3f3	Merge pull request #202 from snikket-im/ka/oauthtweaks OAuth tweaks	2025-06-05 17:55:56 +01:00
Kim Alvefur	1a65ba6150	Include a software id in oauth client registration This is supposed to be a unique and persistent identifier for the software itself, regardless of version or deployment instance. Generated from the domain name in the comment using uuid_generate_sha1()	2025-06-05 17:52:04 +01:00
Kim Alvefur	9474238dee	Declare as a web application in oauth client registration It is, even if the password grant isn't restricted to that, but if ever the authorization code flow is implemented, it'll be correct.	2025-06-05 17:52:01 +01:00
Kim Alvefur	60e663316b	Declare that oauth client credentials are using POST method Not enforced by mod_http_oauth2, but could be in the future	2025-06-05 17:50:52 +01:00
Kim Alvefur	770d05c72c	Declare use of no response types, since password grant uses none Needless restriction removed in https://hg.prosody.im/prosody-modules/rev/ef81c67e1ae7	2025-06-05 17:50:52 +01:00
Kim Alvefur	ea75d8e832	Include requested scopes in oauth client registration This can be used on the oauth server side to enforce that no additional scopes are added.	2025-06-05 17:50:52 +01:00
Kim Alvefur	145dda8c19	Include web portal version in oauth client registration This could be shown in client listings and audit logs, and checked to ensure old versions stop being used. Not the most relevant for the web portal as it is closely tied together with the server, but could help answer questions about where old grants come from.	2025-06-05 17:50:52 +01:00
Matthew Wild	149a79cb2c	Merge pull request #203 from snikket-im/make-lint prosodyclient: Fixes to satisfy mypy	2025-06-05 17:48:23 +01:00