# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683038372 -7200
# Node ID 149634647b482ad363fba62fdbb14c0949560182
# Parent  b86d80e21c60ac8497d81e7d8e249cd47e5b1e81
mod_http_oauth2: Don't issue client_secret when not using authentication

This is pretty much only for implicit flow, which is considered insecure
anyway, so this is of limited value.  If we delete all the implicit flow
code, this could be reverted.

diff -r b86d80e21c60 -r 149634647b48 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:34:31 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:39:32 2023 +0200
@@ -812,15 +812,18 @@
 
 	-- Do we want to keep everything?
 	local client_id = jwt_sign(client_metadata);
-	local client_secret = make_client_secret(client_id);
 
 	client_metadata.client_id = client_id;
-	client_metadata.client_secret = client_secret;
 	client_metadata.client_id_issued_at = os.time();
-	client_metadata.client_secret_expires_at = 0;
 
-	if not registration_options.accept_expired then
-		client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
+	if client_metadata.token_endpoint_auth_method ~= "none" then
+		local client_secret = make_client_secret(client_id);
+		client_metadata.client_secret = client_secret;
+		client_metadata.client_secret_expires_at = 0;
+
+		if not registration_options.accept_expired then
+			client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
+		end
 	end
 
 	return client_metadata;