Skip to content

Use client_secret_basic by default, use client_secret_post if supported #1199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
julien-nc merged 2 commits into from
Sep 22, 2025
Merged

Use client_secret_basic by default, use client_secret_post if supported #1199

julien-nc merged 2 commits into from
Sep 22, 2025

Conversation

@julien-nc
Copy link
Member

@julien-nc julien-nc commented Sep 11, 2025

closes #1198

As stated in https://openid.net/specs/openid-connect-discovery-1_0.html about token_endpoint_auth_methods_supported:

If omitted, the default is client_secret_basic

The new behaviour is:

  • If token_endpoint_auth_methods_supported is not set in the discovery payload: use client_secret_basic
  • If token_endpoint_auth_methods_supported is set and contains client_secret_post, use it

⚠️ It is now also possible to set the default auth method (when token_endpoint_auth_methods_supported is not set) in config.php with:

'user_oidc' => [
  'default_token_endpoint_auth_method' => 'client_secret_post',
]

@hendrik1120 Be aware that you will need to change this default because in your case, token_endpoint_auth_methods_supported is not set and client_secret_post is the only supported method. You can set that value in config.php now (before this change is released), it will be effective with the next release.

@julien-nc julien-nc added bug Something isn't working enhancement New feature or request 3. to review priority: high labels Sep 11, 2025
@julien-nc julien-nc mentioned this pull request Sep 11, 2025
Closed
hamza221
hamza221 approved these changes Sep 11, 2025
View reviewed changes
Copy link

@hamza221 hamza221 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@julien-nc julien-nc force-pushed the fix/1198/default-token_endpoint_auth_method branch from da4e6cd to b9f2cae Compare September 12, 2025 09:42
@julien-nc
fix(tokenEndpointAuth): use client_secret_basic by default, use clien…
03b52d5 
…t_secret_post if supported

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
fix(tokenEndpointAuth): allow setting the default token endpoint auth…
a647192 
… method in config.php

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the fix/1198/default-token_endpoint_auth_method branch from b9f2cae to a647192 Compare September 22, 2025 13:58
@julien-nc julien-nc merged commit 5c66398 into main Sep 22, 2025
43 checks passed
@julien-nc julien-nc deleted the fix/1198/default-token_endpoint_auth_method branch September 22, 2025 14:03
@julien-nc julien-nc mentioned this pull request Sep 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hamza221 hamza221 hamza221 approved these changes

@edward-ly edward-ly Awaiting requested review from edward-ly

@janepie janepie Awaiting requested review from janepie

Assignees

No one assigned

Labels

3. to review bug Something isn't working enhancement New feature or request priority: high

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

requirement for optional token_endpoint_auth_methods_supported

3 participants

@julien-nc @hamza221