mod_http_oauth2: Calculate client secret expiry in registration response
Not actually the client_secret that expires, but the client_id JWT.
Returning '0' indicating no expiry was incorrect unless JWT expiry is
turned off, which we check for now.
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 04 13:23:26 2023 +0000
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 04 17:06:47 2023 +0100
@@ -423,6 +423,9 @@
client_id_issued_at = os.time();
client_secret_expires_at = 0;
}
+ if not registration_options.accept_expired then
+ client_desc.client_secret_expires_at = client_desc.client_id_issued_at + (registration_options.default_ttl or 3600);
+ end
return {
status_code = 201;