revert to review comments

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>

Author: Sanskarzz

docs/server/docs.go

@@ -519,6 +519,7 @@ type OAuthFlowConfig struct {
 	RegistrationAccessToken string    //nolint:gosec // G117: field legitimately holds sensitive data
 	RegistrationClientURI   string
 	TokenEndpointAuthMethod string
+	RegisteredCallbackPort  int
 }
 
 // OAuthFlowResult contains the result of an OAuth flow
@@ -543,6 +544,7 @@ type OAuthFlowResult struct {
 	RegistrationAccessToken string //nolint:gosec // G117: field legitimately holds sensitive data
 	RegistrationClientURI   string
 	TokenEndpointAuthMethod string
+	RegisteredCallbackPort  int
 }
 
 func shouldDynamicallyRegisterClient(config *OAuthFlowConfig) bool {
@@ -615,20 +617,12 @@ func PerformOAuthFlow(ctx context.Context, issuer string, config *OAuthFlowConfi
 // exists.
 //
 // One consequence of option (b) is that the resolver's RFC 7591 §3.2.1
-// expiry-driven refetch does NOT participate in the CLI's cross-
-// invocation persistence loop: each PerformOAuthFlow call builds a fresh
-// in-memory store, so a "cached but expired" entry from the previous
-// invocation never reaches the resolver. Cross-invocation expiry is also
-// NOT enforced by the remote handler's gate today —
-// HasCachedClientCredentials only checks CachedClientID != "" and does
-// not consult CachedSecretExpiry, so an expired-but-still-cached client
-// gets reused on the next invocation and surfaces as a token-endpoint
-// failure rather than a clean DCR re-registration. Tightening the gate
-// to also check CachedSecretExpiry is open follow-up work; the
-// behaviour today is "cross-invocation expiry is unhandled". Within a
-// single invocation, the resolver's expiry check is still in the loop
-// and would fire if the same call site somehow registered, persisted,
-// and re-queried the in-memory store — but the CLI never does this today.
+// expiry-driven refetch does NOT participate in the CLI's cross-invocation
+// persistence loop: each PerformOAuthFlow call builds a fresh in-memory store,
+// so a cached entry from a previous invocation never reaches the resolver.
+// Cross-invocation client-secret expiry is handled instead by the remote
+// handler, which consults CachedSecretExpiry and renews through RFC 7592 before
+// cached credentials are used.
 //
 // Wrapping the remote handler's secretProvider into a dcr.CredentialStore
 // adapter (option (a)) would close that loop and is the natural follow-up;
@@ -677,27 +671,14 @@ func handleDynamicRegistration(ctx context.Context, issuer string, config *OAuth
 	}
 
 	// Store DCR renewal metadata for RFC 7592 operations.
-	// client_secret_expires_at == 0 means the secret never expires (RFC 7591 §3.2.1).
-	if registrationResponse.ClientSecretExpiresAt > 0 {
-		config.SecretExpiry = time.Unix(registrationResponse.ClientSecretExpiresAt, 0)
-	}
-	config.RegistrationAccessToken = registrationResponse.RegistrationAccessToken
-	config.RegistrationClientURI = registrationResponse.RegistrationClientURI
-
-	if registrationResponse.RegistrationAccessToken != "" {
-		slog.Debug("DCR response includes registration access token for RFC 7592 operations")
-	}
-
-	// Store DCR renewal metadata for RFC 7592 operations.
-	// client_secret_expires_at == 0 means the secret never expires (RFC 7591 §3.2.1).
-	if registrationResponse.ClientSecretExpiresAt > 0 {
-		config.SecretExpiry = time.Unix(registrationResponse.ClientSecretExpiresAt, 0)
-	}
-	config.RegistrationAccessToken = registrationResponse.RegistrationAccessToken
-	config.RegistrationClientURI = registrationResponse.RegistrationClientURI
-	config.TokenEndpointAuthMethod = registrationResponse.TokenEndpointAuthMethod
-
-	if registrationResponse.RegistrationAccessToken != "" {
+	// A zero ClientSecretExpiresAt means the secret never expires (RFC 7591 §3.2.1).
+	config.SecretExpiry = resolution.ClientSecretExpiresAt
+	config.RegistrationAccessToken = resolution.RegistrationAccessToken
+	config.RegistrationClientURI = resolution.RegistrationClientURI
+	config.TokenEndpointAuthMethod = resolution.TokenEndpointAuthMethod
+	config.RegisteredCallbackPort = config.CallbackPort
+
+	if resolution.RegistrationAccessToken != "" {
 		slog.Debug("DCR response includes registration access token for RFC 7592 operations")
 	}
 
@@ -938,6 +919,7 @@ func newOAuthFlow(ctx context.Context, oauthConfig *oauth.Config, config *OAuthF
 		RegistrationAccessToken: config.RegistrationAccessToken,
 		RegistrationClientURI:   config.RegistrationClientURI,
 		TokenEndpointAuthMethod: config.TokenEndpointAuthMethod,
+		RegisteredCallbackPort:  config.RegisteredCallbackPort,
 	}, nil
 }
 

docs/server/swagger.json

@@ -86,6 +86,10 @@ type Config struct {
 	// CachedTokenEndpointAuthMethod is the auth method used for the token endpoint
 	// (e.g., "client_secret_basic", "none"). Persisted for RFC 7592 updates.
 	CachedTokenEndpointAuthMethod string `json:"cached_token_auth_method,omitempty" yaml:"cached_token_auth_method,omitempty"`
+	// CachedDCRCallbackPort is the callback port that was actually registered
+	// during DCR. It may differ from CallbackPort when the requested port was
+	// unavailable and a fallback port was selected.
+	CachedDCRCallbackPort int `json:"cached_dcr_callback_port,omitempty" yaml:"cached_dcr_callback_port,omitempty"`
 }
 
 // BearerTokenEnvVarName is the environment variable name used for bearer token authentication.
@@ -194,6 +198,7 @@ func (c *Config) ClearCachedClientCredentials() {
 	c.CachedRegTokenRef = ""
 	c.CachedRegClientURI = ""
 	c.CachedTokenEndpointAuthMethod = ""
+	c.CachedDCRCallbackPort = 0
 }
 
 // LogContext returns the upstream issuer and resolved client_id for use as