requirement for optional token_endpoint_auth_methods_supported

[apw1388]

Since we want to connect our Instance with an OIDC Provider and we got client not authenticated errors, we checked the app, if it supports HTTP basic auth header. Luckily it does, but there is an issue in the check for using HTTP basic auth header.

In your check, you assume the token_endpoint_auth_methods_supported is always present. According to the OIDC discovery specs, this is an optional attribute. According to the comment in code, I would assume that basic authentication is also used, if there is no token_endpoint_auth_methods_supported provided by the OP discovery.

[julien-nc]

Thanks for reporting this.

you assume the token_endpoint_auth_methods_supported is always present

Not really, we take client_secret_post as default if token_endpoint_auth_methods_supported is not set in the discovery payload. This is indeed not following the official specs.

• Here is a fix: Use client_secret_basic by default, use client_secret_post if supported #1199

The fix also includes a way to choose which auth method is used when token_endpoint_auth_methods_supported is not set. But the new default is client_secret_basic.

[julien-nc]

It would speed up the release process if you can try this PR on your side.

[hendrik1120]

Thanks for the heads-up, just so that you are aware: We went from post to basic to post and now back to basic.

Will this be a major version bump to 8.0.0? I will update the authelia docs beforehand to minimize the impact this time.

[julien-nc]

@hendrik1120 You can leave the IdP side untouched and just set the default method in config.php like mentioned in the PR.

Yes the next release will be a major version bump.