Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Public client without authentication method #128

Closed
Xbloud opened this issue Nov 14, 2023 · 1 comment · Fixed by #129
Closed

Public client without authentication method #128

Xbloud opened this issue Nov 14, 2023 · 1 comment · Fixed by #129
Labels
bug Something isn't working

Comments

@Xbloud
Copy link

Xbloud commented Nov 14, 2023

I want to use OAuth public client with code flow and PKCE. The issue is with token request, which must include client_id in this case according to the https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3. This library adds the client_id to the token request only if the "settins.authenticationMethod" equals to "client_secret_post" which is wrong IMO. It should be added even if no authenticationMethod is used.
Another issue is if I do not provide "authenticationMethod" in settings, this library will use the first authentication method from OAuth server metadata (token_endpoint_auth_methods_supported). For example, if the server metadata contains ["client_secret_basic"], then the library will include Authorization HTTP header with basic authentication even if I do not intend to use any.

@evert evert added the bug Something isn't working label Nov 16, 2023
@evert
Copy link
Collaborator

evert commented Nov 16, 2023

This makes sense. We basically need to take the 'client_secret_post' path whenever there's no client_secret. This is probably a regression since 2.1.0, so downgrading to 2.0.18 probably temporarily fixes this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
2 participants