mod_http_oauth2: Bind refresh tokens to client Prevent one OAuth client from using the refresh tokens issued to another client as required by RFC 6819 section 5.2.2.2 See also draft-ietf-oauth-security-topics-22 section 2.2.2 Thanks to OAuch for pointing out this issue

mod_http_oauth2: Record hash of client_id to allow future verification RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the client. In order to do that, we must record something that can definitely tie the client to the grant. Since the full client_id is so large (why we have this client_subset function), a hash is stored instead.

mod_http_oauth2: Add client verification wrapper function Fixes the weird ok, data return format from util.jit, but the real reason is to add some preparation steps here.

mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 These are mostly for the various Client-facing endpoints, so the chance of browsers being involved is slightly lower than with the User-facing authorization endpoint, which already sent the Cache-Control header. Thanks to OAuch for pointing out.

mod_http_oauth2: Linkify mod_client_management in README

mod_http_oauth2: Fix messed up section about redirect_uris requirements

mod_http_oauth2: Restructure description of client metadata requirements Previously quite a compact block of text, maybe this is easier to read.

mod_http_oauth2: Correct loopback URL example The s in the scheme should not be there, only unencrypted http to loopback interface is allowed.

mod_groups_oidc: Expose groups to OAuth clients

mod_oidc_userinfo_vcard4: Advertise OpenID scopes via new mechanism