# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1751549682 -7200
# Node ID 4f9b42c53d0f24a568059703731028a239ff864c
# Parent  dfc035ecabb48f8e9b86bc9e44bba442b59e09b6
mod_http_oauth2: Check grant type before issuing refresh token

This prevents even issuing a refresh token to a client that has not
registered the corresponding grant type.

The grant type dispatcher also checks before invoking the refresh token
grant type handler.

diff -r dfc035ecabb4 -r 4f9b42c53d0f mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Jul 03 12:32:43 2025 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Jul 03 15:34:42 2025 +0200
@@ -309,6 +309,10 @@
 	};
 end
 
+local function may_issue_refresh_token(client, scope_string)
+	return array_contains(client.grant_types, "refresh_token") and array_contains(parse_scopes(scope_string), "offline_access");
+end
+
 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info)
 	local token_data = { oauth2_scopes = scope_string, oauth2_client = nil };
 	if client then
@@ -334,7 +338,7 @@
 	end
 	-- in with the new refresh token
 	local refresh_token;
-	if refresh_token_info ~= false and array_contains(parse_scopes(scope_string), "offline_access") then
+	if refresh_token_info ~= false and may_issue_refresh_token(client, scope_string) then
 		refresh_token = tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh");
 	end