commit dfd8ea545acbe1d2b0b0b7afa0cabab12d065efa
parent 8e613f270eee8d94397d886eabacc9706edbed2d
Author: Christian Grothoff <christian@grothoff.org>
Date: Sat, 24 Aug 2024 16:11:10 +0200
document need for RFC 8959 prefix (#9112)
Diffstat:
2 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/manpages/challenger-admin.1.rst b/manpages/challenger-admin.1.rst
@@ -32,8 +32,8 @@ Description
Its options are as follows:
-**-a** *SECRET* \| **--add=**\ \ *SECRET*
- Add the client with the given *CLIENT_REDIRECT_URL setting the client secret to *SECRET*. Prints the *CLIENT_ID* of the added client.
+**-a** *CLIENT_SECRET* \| **--add=**\ \ *CLIENT_SECRET*
+ Add the client with the given *CLIENT_REDIRECT_URL setting the client secret to *CLIENT_SECRET*. Prints the *CLIENT_ID* of the added client. The *CLIENT_SECRET* must begin with "secret-token:" as per RFC 8959.
**-c** *FILENAME* \| **--config=**\ \ *FILENAME*
Use the configuration and other resources for the Challenger commands
diff --git a/taler-challenger-manual.rst b/taler-challenger-manual.rst
@@ -421,7 +421,7 @@ Authorizing clients
Before clients can use Challenger, they must be explicitly configured. Each
client is identified via its OAuth 2.0 REDIRECT URI. Thus, a client must have
-exactly one REDIRECT URI
+exactly one REDIRECT URI. Challenger also does not allow multiple clients sharing the same REDIRECT URI.
.. note::
@@ -438,16 +438,16 @@ restarting the service. To add (or remove) a client, you must use the
.. code-block:: shell-session
- # sudo -u challenger-httpd challenger-admin --add=$SECRET $REDIRECT_URI
+ # sudo -u challenger-httpd challenger-admin --add=$CLIENT_SECRET $CLIENT_REDIRECT_URI
-Here, ``$SECRET`` is the client secret of OAuth 2.0 which will be used in
-various parts of the protocol to authenticate the client. The
-``$REDIRECT_URI`` is the URI where the user-agent will be redirected to upon
+Here, ``$CLIENT_SECRET`` is the client secret of OAuth 2.0 which will be used in
+various parts of the protocol to authenticate the client. It must begin with the "secret-token:" prefix of RFC 8959. The
+``$CLIENT_REDIRECT_URI`` is the REDIRECT URI where the user-agent will be redirected to upon
completion of the process. The ``challenger-admin`` command will
-then output the *client ID*, which will be a unique positive number.
+then output the *CLIENT_ID*, which will be a unique positive number.
The first time you run the command, you will thus likely see:
-``Client added. Client ID is: 1``. This client ID, the ``$SECRET``
-and the ``$REDIRECT_URI`` will form the foundation for the OAuth 2.0
+``Client added. Client ID is: 1``. This CLIENT_ID, the ``$CLIENT_SECRET``
+and the ``$CLIENT_REDIRECT_URI`` will form the foundation for the OAuth 2.0
configuration.
@@ -469,8 +469,8 @@ by the client using the ``/setup/$CLIENT_ID`` endpoint!
validation could be expensive.
Thus, to generate the authorization URL, a client must first POST to
-``/setup/$CLIENT_ID`` using their client secret in an ``Authorization: Bearer $SECRET``
-HTTP header to obtain a fresh ``$NONCE``.
+``/setup/$CLIENT_ID`` using their client secret in an ``Authorization: Bearer
+$CLIENT_SECRET`` HTTP header to obtain a fresh ``$NONCE``.
In the GNU Taler exchange configuration, this is indicated by appending
``#setup`` to the ``KYC_OAUTH2_AUTHORIZE_URL`` endpoint. Be careful to quote
@@ -487,6 +487,7 @@ the configuration file syntax:
KYC_OAUTH2_TOKEN_URL = "https://challenger.example.com/token"
KYC_OAUTH2_INFO_URL = "https://challenger.example.com/info"
KYC_OAUTH2_CLIENT_ID = 1
+ # Make sure to include the RFC 8959 prefix in "$SECRET"
KYC_OAUTH2_CLIENT_SECRET = "$SECRET"
@@ -525,5 +526,3 @@ The Challenger database can be re-initialized using:
However, running this command will result in all data in the database
being lost.
-
-
