# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1687216294 -7200
# Node ID d7fb8b266663e4bd5df6facad07d1fa971c27a8a
# Parent  3276750332eacd27a9b3ee47336e1255fbad3183
mod_http_oauth2: Strip unknown client metadata

Per RFC 7591
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).

This was previously done but unintentionally removed in 90449babaa48

diff -r 3276750332ea -r d7fb8b266663 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Jun 19 01:26:56 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Jun 20 01:11:34 2023 +0200
@@ -979,6 +979,13 @@
 		end
 	end
 
+	-- MUST ignore any metadata that it does not understand
+	for propname in pairs(client_metadata) do
+		if not registration_schema.properties[propname] then
+			client_metadata[propname] = nil;
+		end
+	end
+
 	local client_uri = url.parse(client_metadata.client_uri);
 	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
 		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");