mod_http_oauth2: Add FIXME about loopback redirect URIs I assume you can't possibly pre-register every port

mod_http_oauth2: Rename variables to improve clarity

mod_http_oauth2: Do minimal validation of private-use URI schemes Per draft-ietf-oauth-v2-1-08#section-2.3.1 > At a minimum, any private-use URI scheme that doesn't contain a period > character (.) SHOULD be rejected. Since this would rule out the OOB URI, which is useful for CLI tools and such without a built-in http server, it is explicitly allowed.

mod_http_oauth2: Reject relative redirect URIs Also prevents a nil scheme from causing trouble

mod_http_oauth2: Reject duplicate list items in client registration Useless waste of space

mod_http_oauth2: Require non-empty arrays in client registration Makes no sense to claim to support nothing.

mod_http_oauth2: Reject duplicate redirect URIs in registration

mod_http_oauth2: Fix schema to enforce at least one redirect URI minLength is for strings

mod_http_oauth2: Show only roles the user can use in consent dialog Confusing if it shows you roles you can't use.

mod_http_oauth2: Reference grant by id instead of value Fixes that the grant got mutated on use of refresh token, notably it would gain 'id' and 'jid' properties set there by mod_tokenauth. Previously also the secret token that we should not be remembering.