ReadonlyauthenticatedReadonlybodyOptional ReadonlyipOptional ReadonlyissuerReadonlymetadataReadonlysessionReadonly property — wholesale ctx.session = {…} replacement is rejected
at compile time. Field-level mutation (ctx.session.isAuthenticated = …)
is intentionally still allowed because handlers write through Express's
req.session object; SessionData mirrors that mutable surface.
Optional ReadonlytokenSender-binding established by tokenBindingMw before grant dispatch.
undefined when no binding mechanism is enabled, when the request
did not carry the required proof / cert, or when the grant is
invoked outside the standard /token route. Grant handlers that
issue tokens propagate tokenBinding.confirmation into
GenerateTokenOptions.confirmation. See Wave 2 Token-binding Cluster
spec §4.1.
Optional Readonlyuser
The authenticated client established by
clientAuthMwbefore grant dispatch on/token. Grant handlers that bind tokens to client identity (authorization code, refresh, token-exchange) MUST use this field rather thanbody.client_id— the body is attacker-controlled and bypasses RFC 6749 §2.3 authentication.nullwhen the grant is invoked outside the standard/tokenroute (custom wiring, direct unit-test invocation). Handlers that rely on a client identity SHOULD rejectnullwithinvalid_client401.