--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:34:31 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:39:32 2023 +0200
@@ -812,15 +812,18 @@
-- Do we want to keep everything?
local client_id = jwt_sign(client_metadata);
- local client_secret = make_client_secret(client_id);
client_metadata.client_id = client_id;
- client_metadata.client_secret = client_secret;
client_metadata.client_id_issued_at = os.time();
- client_metadata.client_secret_expires_at = 0;
- if not registration_options.accept_expired then
- client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
+ if client_metadata.token_endpoint_auth_method ~= "none" then
+ local client_secret = make_client_secret(client_id);
+ client_metadata.client_secret = client_secret;
+ client_metadata.client_secret_expires_at = 0;
+
+ if not registration_options.accept_expired then
+ client_metadata.client_secret_expires_at = client_metadata.client_id_issued_at + (registration_options.default_ttl or 3600);
+ end
end
return client_metadata;