Public client without authentication method #128
Labels
bug
Something isn't working
Comments
|
This makes sense. We basically need to take the 'client_secret_post' path whenever there's no |
evert
added a commit
that referenced
this issue
Nov 16, 2023
This was referenced Sep 10, 2024
This was referenced Sep 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I want to use OAuth public client with code flow and PKCE. The issue is with token request, which must include client_id in this case according to the https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3. This library adds the client_id to the token request only if the "settins.authenticationMethod" equals to "client_secret_post" which is wrong IMO. It should be added even if no authenticationMethod is used.
Another issue is if I do not provide "authenticationMethod" in settings, this library will use the first authentication method from OAuth server metadata (token_endpoint_auth_methods_supported). For example, if the server metadata contains ["client_secret_basic"], then the library will include Authorization HTTP header with basic authentication even if I do not intend to use any.
The text was updated successfully, but these errors were encountered: