This module provides external authentication via an external OAuth 2 authorization server and supports the SASL OAUTHBEARER authentication mechanism as well as PLAIN for legacy clients (this is all of them).
Using OAuth 2.0 in XMPP is explained in XEP-0493: OAuth Client Login. Clients pass tokens from the Authorization Server to Prosody, which attempts to validate the tokens using the configured validation endpoint.
Legacy clients have to use SASL PLAIN, where Prosody acts as an OAuth 2 Client and receives the users username and password and attempts to validate this using the OAuth 2 resource owner password grant.
VirtualHost "example.net"
authentication = "oauth_external"
-- KeyCloak URLs
oauth_external_discovery_url = "https://auth.example.com/auth/realms/ExampleRealm/.well-known/openid-configuration"
oauth_external_token_endpoint = "https://auth.example.com/auth/realms/ExampleRealm/protocol/openid-connect/token"
oauth_external_validation_endpoint = "https://auth.example.com/auth/realms/ExampleRealm/protocol/openid-connect/userinfo"
oauth_external_username_field = "xmpp_username"VirtualHost "example.net"
authentication = "oauth_external"
oauth_external_token_endpoint = "https://mastodon.example/oauth/token"
oauth_external_validation_endpoint = "https://mastodon.example/api/v1/accounts/verify_credentials"
oauth_external_username_field = "username"
oauth_external_scope = "read:accounts"
oauth_external_resource_owner_password = trueoauth_external_issueroauth_external_discovery_urlissuer_identity + "/.well-known/oauth-authorization-server"
when oauth_external_issuer is set, otherwise unset.
oauth_external_validation_endpointoauth_external_username_field.
Required for SASL OAUTHBEARER. For SASL PLAIN, enables username lookup.
Commonly the OpenID
UserInfo endpoint If left unset, only
SASL PLAIN is supported and the username provided there is
assumed correct.
oauth_external_username_field"preferred_username". Field in the JSON
structure returned by the validation endpoint that to be used as the
XMPP localpart. The field must be unique and always be the same for the
same user, to avoid unintentional impersonation.
oauth_external_username_mapping"". Specifies the mapping(s) to apply to
the username field. Currently only one is defined; "split"
which splits out the username part from e.g. an email address. Escaping
per XEP-0106: JID
Escaping is always applied.
oauth_external_sasl_username_mapping"". Specifies the mapping(s) to apply to
the username given in SASL PLAIN to produce the username sent to the
Authorization server. Currently only one is defined; "join"
which adds @ and the domain name.
oauth_external_resource_owner_passwordtrue. Enables SASL PLAIN for legacy
XMPP clients via the resource owner password
grant (considered insecure).
oauth_external_token_endpointoauth_external_client_idoauth_external_client_secretoauth_external_scope"openid". Communicated to clients via
OAUTHBEARER as scope “valid to access the service”. Included in request
for resource owner password grant.
oauth_external_http_settings{ connection_pooling = true }. Settings
applied to the HTTP requests sent to the Authorization server.
| Version | Status |
|---|---|
| trunk | works |
| 13.0.x | works |
| 0.12.x | OAUTHBEARER will not work, otherwise untested |
| 0.11.x | OAUTHBEARER will not work, otherwise untested |
Tested with
With the plugin installer in Prosody 0.12 you can use:
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_auth_oauth_external
For earlier versions see the documentation for installing 3rd party modules