Changeset

--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Jul 10 10:15:35 2025 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Jul 15 01:46:38 2025 +0200
@@ -1050,16 +1050,20 @@
 	params.scope = granted_scopes:concat(" ");
 
 	local user_jid = jid.join(auth_state.user.username, module.host);
-	local client_secret = make_client_secret(params.client_id);
-	local id_token_signer = jwt.new_signer("HS256", client_secret);
-	local id_token = id_token_signer({
-		iss = get_issuer();
-		sub = url.build({ scheme = "xmpp"; path = user_jid });
-		aud = params.client_id;
-		auth_time = auth_state.user.iat;
-		nonce = params.nonce;
-		amr = auth_state.user.amr; -- RFC 8176: Authentication Method Reference Values
-	});
+	local id_token;
+	-- https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1
+	if array_contains(granted_scopes, "openid") then
+		local client_secret = make_client_secret(params.client_id);
+		local id_token_signer = jwt.new_signer("HS256", client_secret);
+		id_token = id_token_signer({
+			iss = get_issuer();
+			sub = url.build({ scheme = "xmpp"; path = user_jid });
+			aud = params.client_id;
+			auth_time = auth_state.user.iat;
+			nonce = params.nonce;
+			amr = auth_state.user.amr; -- RFC 8176: Authentication Method Reference Values
+		});
+	end
 	local ret = response_handler(client, params, user_jid, id_token);
 	if errors.is_err(ret) then
 		return error_response(request, redirect_uri, ret);