# HG changeset patch # User Kim Alvefur # Date 1751550300 -7200 # Node ID 17d9533f7596b5d409c7d2142fed459ddfa6766a # Parent 6ea80b73d8f2dc374ff110cab95526f4c644b7c2 mod_http_oauth2: Reject invalid attempt to register client without credentials The implicit flow works without a client_secret since the token is delivered directly, but all other currently supported grant types require client to authenticate using credentials, so it makes no sense to not issue credentials then. diff -r 6ea80b73d8f2 -r 17d9533f7596 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Thu Jul 03 15:42:42 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Jul 03 15:45:00 2025 +0200 @@ -1545,6 +1545,8 @@ -- Not needed for public clients without a secret, but those are expected -- to be uncommon since they can only do the insecure implicit flow. client_metadata.nonce = id.short(); + elseif grant_types ~= set.new({ "implicit" }) then + return nil, oauth_error("invalid_client_metadata", "A 'token_endpoint_auth_method' value of 'none' only works with the 'implicit' grant"); end -- Do we want to keep everything?