mod_http_oauth2: Show only roles the user can use in consent dialog
Confusing if it shows you roles you can't use.
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri May 12 11:11:38 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Fri May 12 11:58:20 2023 +0200
@@ -682,6 +682,7 @@
elseif auth_state.consent == nil then
-- Render consent page
local scopes, roles = split_scopes(requested_scopes);
+ roles = user_assumable_roles(auth_state.user.username, roles);
return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true);
elseif not auth_state.consent then
-- Notify client of rejection