Support for client_secret_basic

[orsolli]

Related to Issue #843

This library uses client_secret_post which puts the client_id and client_secret in the body.

You should support client_secret_basic where client_id and client_secret is base64 encoded in the Authorization header in accordance to to OAuth2.0 and OpenID Connect specifications.

The OAuth 2.0 Authorization Framework - 2.3.1. Client Authentication
OpenID Connect Core 1.0 - 9. Client Authentication

[AshUK]

My preference for this would be a property named token_endpoint_auth_method given to the UserManager configuration. Its worth mentioning there are other auth methods too:

https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method

• none
• client secret basic
• client secret jwt
• client secret post
• private key jwt

[damiandragowski]

Hi,
When support for client_secret_post will be released ?

[thorstenfleischmann]

Would be good to have support for basic auth since using post is not recommended.

https://tools.ietf.org/html/rfc6749#section-2.3.1

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).

[bbialas]

+1

Any news on when it could be added?

[Blamoh]

Hi,

Any news ?