# HG changeset patch # User Kim Alvefur # Date 1752536798 -7200 # Node ID 9b03238d4e0e5dbbacbd6df4731a5dfc711ca254 # Parent dbbbd5caf292d95c66f6e12e609dba5a629205f7 mod_http_oauth2: Only issue id_token when granted openid scope OpenID Connect Core 1.0 states that OIDC is only being done if the "openid" scope is included. https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1 Less details given out by default is good for privacy and byte count. diff -r dbbbd5caf292 -r 9b03238d4e0e mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Thu Jul 10 10:15:35 2025 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Jul 15 01:46:38 2025 +0200 @@ -1050,16 +1050,20 @@ params.scope = granted_scopes:concat(" "); local user_jid = jid.join(auth_state.user.username, module.host); - local client_secret = make_client_secret(params.client_id); - local id_token_signer = jwt.new_signer("HS256", client_secret); - local id_token = id_token_signer({ - iss = get_issuer(); - sub = url.build({ scheme = "xmpp"; path = user_jid }); - aud = params.client_id; - auth_time = auth_state.user.iat; - nonce = params.nonce; - amr = auth_state.user.amr; -- RFC 8176: Authentication Method Reference Values - }); + local id_token; + -- https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1 + if array_contains(granted_scopes, "openid") then + local client_secret = make_client_secret(params.client_id); + local id_token_signer = jwt.new_signer("HS256", client_secret); + id_token = id_token_signer({ + iss = get_issuer(); + sub = url.build({ scheme = "xmpp"; path = user_jid }); + aud = params.client_id; + auth_time = auth_state.user.iat; + nonce = params.nonce; + amr = auth_state.user.amr; -- RFC 8176: Authentication Method Reference Values + }); + end local ret = response_handler(client, params, user_jid, id_token); if errors.is_err(ret) then return error_response(request, redirect_uri, ret);