···4848 // At least one redirect URI is required.
4949 RedirectURIs []string `json:"redirect_uris"`
50505151- // confidential clients must set this to `private_key_jwt`
5151+ // confidential clients must set this to `private_key_jwt`; public must be `none`
5252+ // TODO: should this be string not *string?
5253 TokenEndpointAuthMethod *string `json:"token_endpoint_auth_method,omitempty"`
53545455 // `none` is never allowed here. The current recommended and most-supported algorithm is ES256, but this may evolve over time.
···5859 DpopBoundAccessTokens bool `json:"dpop_bound_access_tokens"`
59606061 // confidential clients must supply at least one public key in JWK format for use with JWT client authentication. Either this field or the `jwks_uri` field must be provided for confidential clients, but not both.
6161- JWKS []crypto.JWK `json:"jwks,omitempty"`
6262+ JWKS *JWKS `json:"jwks,omitempty"`
62636364 // URL pointing to a JWKS JSON object. See `jwks` above for details.
6465 JWKSUri *string `json:"jwks_uri,omitempty"`
···81828283// returns 'true' if client metadata indicates that this is a confidential client
8384func (m *ClientMetadata) IsConfidential() bool {
8484- if (m.JWKSUri != nil || len(m.JWKS) > 0) && (m.TokenEndpointAuthMethod != nil && *m.TokenEndpointAuthMethod == "private_key_jwt") {
8585+ if (m.JWKSUri != nil || (m.JWKS != nil && len(m.JWKS.Keys) > 0)) && (m.TokenEndpointAuthMethod != nil && *m.TokenEndpointAuthMethod == "private_key_jwt") {
8586 return true
8687 }
8788···277278278279 // Optional account identifier (DID or handle) to help with user account login and/or account switching
279280 LoginHint *string `url:"login_hint,omitempty"`
281281+282282+ // Optional hint to auth server of what expected auth behavior should be. Eg, 'create', 'none', 'consent', 'login', 'select_account'
283283+ Prompt *string `url:"prompt,omitempty"`
280284281285 // Always "code"
282286 ResponseType string `url:"response_type"`