refactor: changed the default client authentication

panva · Oct 7, 2024 · 4fe3f2c · 4fe3f2c
1 parent f0e7919
commit 4fe3f2c
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 15 deletions.
diff --git a/src/index.ts b/src/index.ts
@@ -97,12 +97,12 @@ export interface PrivateKey {
 /**
  * Supported Client Authentication Methods.
  *
- * - **`client_secret_basic`** (default) uses the HTTP `Basic` authentication scheme to send
+ * - **`client_secret_post`** (default) uses the HTTP request body to send
+ *   {@link Client.client_id `client_id`} and {@link Client.client_secret `client_secret`} as
+ *   `application/x-www-form-urlencoded` body parameters.
+ * - **`client_secret_basic`** uses the HTTP `Basic` authentication scheme to send
  *   {@link Client.client_id `client_id`} and {@link Client.client_secret `client_secret`} in an
  *   `Authorization` HTTP Header.
- * - **`client_secret_post`** uses the HTTP request body to send {@link Client.client_id `client_id`}
- *   and {@link Client.client_secret `client_secret`} as `application/x-www-form-urlencoded` body
- *   parameters.
  * - **`private_key_jwt`** uses the HTTP request body to send {@link Client.client_id `client_id`},
  *   `client_assertion_type`, and `client_assertion` as `application/x-www-form-urlencoded` body
  *   parameters. The `client_assertion` is signed using a private key supplied as an
@@ -123,8 +123,8 @@ export interface PrivateKey {
  * @see [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication (Self-Signed Certificate Mutual-TLS Method)](https://www.rfc-editor.org/rfc/rfc8705.html#name-self-signed-certificate-mut)
  */
 export type ClientAuthenticationMethod =
-  | 'client_secret_basic'
   | 'client_secret_post'
+  | 'client_secret_basic'
   | 'private_key_jwt'
   | 'none'
   | 'tls_client_auth'
@@ -881,10 +881,9 @@ export interface Client {
    * Client secret.
    */
   client_secret?: string
-  // TODO: Make client_secret_post the default in v3.x
   /**
    * Client {@link ClientAuthenticationMethod authentication method} for the client's authenticated
-   * requests. Default is `client_secret_basic`.
+   * requests. Default is `client_secret_post`.
    */
   token_endpoint_auth_method?: ClientAuthenticationMethod
   /**
@@ -1755,6 +1754,12 @@ async function clientAuthentication(
   body.delete('client_assertion')
   switch (client.token_endpoint_auth_method) {
     case undefined: // Fall through
+    case 'client_secret_post': {
+      assertNoClientPrivateKey('client_secret_post', clientPrivateKey)
+      body.set('client_id', client.client_id)
+      body.set('client_secret', assertClientSecret(client.client_secret))
+      break
+    }
     case 'client_secret_basic': {
       assertNoClientPrivateKey('client_secret_basic', clientPrivateKey)
       headers.set(
@@ -1763,12 +1768,6 @@ async function clientAuthentication(
       )
       break
     }
-    case 'client_secret_post': {
-      assertNoClientPrivateKey('client_secret_post', clientPrivateKey)
-      body.set('client_id', client.client_id)
-      body.set('client_secret', assertClientSecret(client.client_secret))
-      break
-    }
     case 'private_key_jwt': {
       assertNoClientSecret('private_key_jwt', client.client_secret)
       if (clientPrivateKey === undefined) {

diff --git a/test/client_auth.test.ts b/test/client_auth.test.ts
@@ -34,7 +34,7 @@ test('client_secret_basic', async (t) => {
 
   await lib.revocationRequest(
     { ...issuer, revocation_endpoint: endpoint('test-basic') },
-    { ...client, client_secret: 'foo' },
+    { ...client, client_secret: 'foo', token_endpoint_auth_method: 'client_secret_basic' },
     'token',
   )
   t.pass()
@@ -63,7 +63,35 @@ test('client_secret_basic (appendix b)', async (t) => {
 
   await lib.revocationRequest(
     { ...issuer, revocation_endpoint: endpoint('test-basic-encoding') },
-    { ...client, client_id: ' %&+£€', client_secret: ' %&+£€' },
+    {
+      ...client,
+      client_id: ' %&+£€',
+      client_secret: ' %&+£€',
+      token_endpoint_auth_method: 'client_secret_basic',
+    },
+    'token',
+  )
+  t.pass()
+})
+
+test('client_secret_post (default)', async (t) => {
+  t.context
+    .intercept({
+      path: '/test-post',
+      method: 'POST',
+      headers(headers) {
+        return !('authorization' in headers)
+      },
+      body(body) {
+        const params = new URLSearchParams(body)
+        return params.get('client_id') === client.client_id && params.get('client_secret') === 'foo'
+      },
+    })
+    .reply(200, '')
+
+  await lib.revocationRequest(
+    { ...issuer, revocation_endpoint: endpoint('test-post') },
+    { ...client, client_secret: 'foo' },
     'token',
   )
   t.pass()