mod_http_oauth2: Strip unknown extra fields from client registration We shouldn't sign things we don't understand! RFC 7591 section-2 states: > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). Prevents grandfathering in of unvalidated data that might become used later, especially since the 'additionalProperties' schema keyword was removed in 698fef74ce53

mod_http_oauth2: Simplify validation of various URIs Why: diffstat How: Reuse of the redirect_uri_allowed() function

mod_http_oauth2: More appropriate error conditions in client validation Specified in RFC7591 for these kinds of issues.

mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.

mod_http_oauth2: Reduce line count of metadata construction More compact and readable than long if-then chains

mod_http_oauth2: Advertise response modes Are you supposed to be able to influence these somewhere, or is this just response types with different labels?

mod_http_oauth2: Advertise supported grant types Seems redundant, since it's just the response types with other labels.

mod_http_oauth2: Advertise revocation endpoint in metadata How were you supposed to know this was supported otherwise? It support Basic auth and ... none?

mod_http_oauth2: Return status 405 for GET to endpoints without GET handler Endpoints that only do POST have the weird side effect that a GET query to them return 404, which doesn't quite feel like the right semantics.

mod_inotify_reload: Update to use FD watching method This removes the need to present a fake socket interface, simplifying everything.