# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1677880139 -3600
# Node ID f48628dc83f1312018ba4c010bd558c34b30a4a7
# Parent  2e8a7a0f932dfcdf8288dd9e71cbdab28df8f4d2
mod_http_oauth2: Separate client_secret verification key from JWT key

Allows configuring a real JWT key directly in the config, but
the client_secret will be different per host.

diff -r 2e8a7a0f932d -r f48628dc83f1 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Mar 03 22:48:38 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri Mar 03 22:48:59 2023 +0100
@@ -19,10 +19,11 @@
 local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");
 local registration_options = module:get_option("oauth2_registration_options", { default_ttl = 60 * 60 * 24 * 90 });
 
+local verification_key;
 local jwt_sign, jwt_verify;
 if registration_key then
 	-- Tie it to the host if global
-	registration_key = hashes.hmac_sha256(registration_key, module.host);
+	verification_key = hashes.hmac_sha256(registration_key, module.host);
 	jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options);
 end
 
@@ -196,7 +197,7 @@
 end
 
 local function make_secret(client_id) --> client_secret
-	return hashes.hmac_sha256(registration_key, client_id, true);
+	return hashes.hmac_sha256(verification_key, client_id, true);
 end
 
 local function verify_secret(client_id, client_secret)