# HG changeset patch # User Kim Alvefur # Date 1679834670 -7200 # Node ID d94dba396f9fad29490cc3a4c0b9c126f6dfefbd # Parent a1055024b94e6b65c2db72582c46c9e32ae2a95d mod_http_oauth2: Declare additional client registration fields as strings Previously any property not listed in the schema was allowed in any form, which is probably a bit too liberal. Instead, limit extra fields to simple strings, which should still allow localized versions of the various URIs and descriptive properties per RFC 7591 ยง2.2 diff -r a1055024b94e -r d94dba396f9f mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sun Mar 26 14:39:34 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Mar 26 14:44:30 2023 +0200 @@ -620,6 +620,8 @@ software_id = { type = "string"; format = "uuid" }; software_version = { type = "string" }; }; + -- Localized versions of descriptive properties and URIs + additionalProperties = { type = "string" }; } function create_client(client_metadata)