Use client_secret_basic by default, use client_secret_post if supported

README.md

@@ -55,6 +55,22 @@ for private or internal applications without requiring user consent or interacti
 Documentation for all supported prompt values is available here:
 [Oauth2 passport server prompts-supported](https://gitlab.com/elyerr/oauth2-passport-server/-/wikis/home/prompts-supported)
 
+## `user_oidc.default_token_endpoint_auth_method`
+
+The OIDC specifications are clear on this. It is stated in https://openid.net/specs/openid-connect-discovery-1_0.html
+that if `token_endpoint_auth_methods_supported` is not set in the provider discovery endpoint payload,
+`client_secret_basic` should be used as default authentication method.
+
+But it has been reported that, with Authelia for example, only `client_secret_post` might be allowed while `token_endpoint_auth_methods_supported`
+is not set in the discovery. In such case, you can set the default token endpoint authentication method with:
+
+```php
+'user_oidc' => [
+  'default_token_endpoint_auth_method' => 'client_secret_post'
+]
+```
+
+
 ---
 
 ### User IDs

lib/Controller/LoginController.php

@@ -385,18 +385,24 @@ public function code(string $state = '', string $code = '', string $scope = '',
 			}
 
 			$headers = [];
-			$tokenEndpointAuthMethod = 'client_secret_post';
-			// Use Basic only if client_secret_post is not available as supported by the endpoint
+			// follow what is described in https://openid.net/specs/openid-connect-discovery-1_0.html
+			// about token_endpoint_auth_methods_supported: "If omitted, the default is client_secret_basic"
+			// Use client_secret_post if supported
+			// We still allow changing the default auth method in config.php
+			$tokenEndpointAuthMethod = $oidcSystemConfig['default_token_endpoint_auth_method'] ?? 'client_secret_basic';
+			// deal with invalid values
+			if (!in_array($tokenEndpointAuthMethod, ['client_secret_basic', 'client_secret_post'], true)) {
+				$tokenEndpointAuthMethod = 'client_secret_basic';
+			}
 			if (
 				array_key_exists('token_endpoint_auth_methods_supported', $discovery)
 				&& is_array($discovery['token_endpoint_auth_methods_supported'])
-				&& in_array('client_secret_basic', $discovery['token_endpoint_auth_methods_supported'])
-				&& !in_array('client_secret_post', $discovery['token_endpoint_auth_methods_supported'])
+				&& in_array('client_secret_post', $discovery['token_endpoint_auth_methods_supported'], true)
 			) {
-				$tokenEndpointAuthMethod = 'client_secret_basic';
+				$tokenEndpointAuthMethod = 'client_secret_post';
 			}
 
-			if ($tokenEndpointAuthMethod == 'client_secret_basic') {
+			if ($tokenEndpointAuthMethod === 'client_secret_basic') {
 				$headers = [
 					'Authorization' => 'Basic ' . base64_encode($provider->getClientId() . ':' . $providerClientSecret),
 					'Content-Type' => 'application/x-www-form-urlencoded',