Basic Auth during token endpoint request doesn't seem to work

[Bashibouzouk]

Hello,

I’m working on a react web app that needs to add identification with an openidconnect platform.
So we want to use your library but we encounter a problem in the implemetation of the Authorization Code flow.

In our case the token endpoint is protected and only a client (react web app) that is authenticated can retrieve a token.
So we need to have basic authentication header (client_id + client_secret) set when we want to retrieve information from the token end point.

But the lib doesn’t seem to go that way, although it is specified in the openid doc:
https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
(see example)

Here’s our usermanager config:

client_id: 'client_id'
client_secret: 'client_secret'
redirect_uri: `${window.location.protocol}//${window.location.hostname}${window.location.port ? `:${window.location.port}` : ''}/authenticated`
response_type: 'code'
scope: 'openid'
authority: 'authority url'
automaticSilentRenew: false
filterProtocolClaims: true
loadUserInfo: true
response_mode: 'fragment'
grantType: 'authorization_code'

Did we forget anything ? Is this a bug as headers are never set with Basic Auth?
Or is this a normal behavior because oidc-client.js is not supposed to work that way ?

Thanks in advance

[brockallen]

JS clients can't keep secrets, so they don't have them. Having said that, if you provide one we'll use it, but via the post body.

[brockallen]

Closing. If you still have issues, feel free to reopen.