# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683479197 -7200
# Node ID 5b2352dda31faf9b16169857bde9620aa7728754
# Parent  72f23107beb4dab6e2981582c8ead49579d8a0af
mod_http_oauth2: Include all granted roles in scopes

The client is allowed to request a subset of granted scopes, so it makes
sense to record all granted roles so that another could be selected at
access token issuance.

diff -r 72f23107beb4 -r 5b2352dda31f mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat May 06 17:06:13 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun May 07 19:06:37 2023 +0200
@@ -137,8 +137,13 @@
 		granted_scopes = array();
 	end
 
+	if requested_roles then
+		granted_scopes:append(array.filter(requested_roles, function(role)
+			return can_assume_role(username, role)
+		end));
+	end
+
 	local selected_role = select_role(username, requested_roles);
-	granted_scopes:push(selected_role);
 
 	return granted_scopes:concat(" "), selected_role;
 end