Changeset

--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Jun 02 12:59:32 2025 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Jun 02 20:55:20 2025 +0200
@@ -878,6 +878,19 @@
 	if not grant_handler then
 		return oauth_error("invalid_request", "No such grant type.");
 	end
+
+	local grant_type_allowed = false;
+	for _, client_grant_type in ipairs(client.grant_types or { "authorization_code" }) do
+		if client_grant_type == grant_type then
+			grant_type_allowed = true;
+			break
+		end
+	end
+
+	if not grant_type_allowed then
+		return oauth_error("invalid_request", "'grant_type' not registered");
+	end
+
 	return grant_handler(params, client);
 end