Changeset

--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Jun 03 10:45:45 2025 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Jun 03 01:11:37 2025 +0200
@@ -552,21 +552,9 @@
 	return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token));
 end
 
-function grant_type_handlers.refresh_token(params)
-	if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
-	if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
+function grant_type_handlers.refresh_token(params, client)
 	if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end
 
-	local client = check_client(params.client_id);
-	if not client then
-		return oauth_error("invalid_client", "incorrect credentials");
-	end
-
-	if not verify_client_secret(params.client_id, params.client_secret) then
-		module:log("debug", "client_secret mismatch");
-		return oauth_error("invalid_client", "incorrect credentials");
-	end
-
 	local refresh_token_info = tokens.get_token_info(params.refresh_token);
 	if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then
 		return oauth_error("invalid_grant", "invalid refresh token");
@@ -598,21 +586,9 @@
 	return json.encode(new_access_token(refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info));
 end
 
-grant_type_handlers[device_uri] = function(params)
-	if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
-	if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
+grant_type_handlers[device_uri] = function(params, client)
 	if not params.device_code then return oauth_error("invalid_request", "missing 'device_code'"); end
 
-	local client = check_client(params.client_id);
-	if not client then
-		return oauth_error("invalid_client", "incorrect credentials");
-	end
-
-	if not verify_client_secret(params.client_id, params.client_secret) then
-		module:log("debug", "client_secret mismatch");
-		return oauth_error("invalid_client", "incorrect credentials");
-	end
-
 	local code = codes:get("device_code:" .. params.client_id .. "#" .. params.device_code);
 	if type(code) ~= "table" or code_expired(code) then
 		return oauth_error("expired_token");