# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1678200763 0
# Node ID 22483cfce3ce30a80c4a31ab844e939be3ae2c6a
# Parent  d03448560acf660b87f7a442ac366e4f6d3e00db
mod_http_oauth2: Reflect ALL attributes of the client registration

Per RFC 7591:

"
Additionally, the authorization server MUST return all registered
metadata about this client, including any fields provisioned by the
authorization server itself.
"

The idea is that the server may replace/drop fields in the registration, so
what gets reflected back to the client is the source of truth about the
registration.

diff -r d03448560acf -r 22483cfce3ce mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 07 14:59:45 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 07 14:52:43 2023 +0000
@@ -564,20 +564,19 @@
 	local client_id = jwt_sign(client_metadata);
 	local client_secret = make_secret(client_id);
 
-	local client_desc = {
-		client_id = client_id;
-		client_secret = client_secret;
-		client_id_issued_at = os.time();
-		client_secret_expires_at = 0;
-	}
+	client_metadata.client_id = client_id;
+	client_metadata.client_secret = client_secret;
+	client_metadata.client_id_issued_at = os.time();
+	client_metadata.client_secret_expires_at = 0;
+
 	if not registration_options.accept_expired then
-		client_desc.client_secret_expires_at = client_desc.client_id_issued_at + (registration_options.default_ttl or 3600);
+		client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
 	end
 
 	return {
 		status_code = 201;
 		headers = { content_type = "application/json" };
-		body = json.encode(client_desc);
+		body = json.encode(client_metadata);
 	};
 end