oidc-client-js icon indicating copy to clipboard operation
oidc-client-js copied to clipboard
verified publisher icon IdentityModel

Support for client_secret_basic

Open orsolli opened this issue 6 years ago • 5 comments

Related to Issue #843

This library uses client_secret_post which puts the client_id and client_secret in the body.

You should support client_secret_basic where client_id and client_secret is base64 encoded in the Authorization header in accordance to to OAuth2.0 and OpenID Connect specifications.

The OAuth 2.0 Authorization Framework - 2.3.1. Client Authentication OpenID Connect Core 1.0 - 9. Client Authentication

orsolli avatar Jul 09 '19 15:07 orsolli

My preference for this would be a property named token_endpoint_auth_method given to the UserManager configuration. Its worth mentioning there are other auth methods too:

https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method

  • none
  • client secret basic
  • client secret jwt
  • client secret post
  • private key jwt

AshUK avatar Jun 04 '20 16:06 AshUK

Hi, When support for client_secret_post will be released ?

damiandragowski avatar Jul 02 '20 11:07 damiandragowski

Would be good to have support for basic auth since using post is not recommended.

https://tools.ietf.org/html/rfc6749#section-2.3.1

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).

thorstenfleischmann avatar Nov 17 '20 12:11 thorstenfleischmann

+1

Any news on when it could be added?

bbialas avatar Nov 17 '20 23:11 bbialas

Hi,

Any news ?

Blamoh avatar Dec 21 '20 12:12 Blamoh