You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OpenID Connect Core 1.0 refers to OAuth 2.0 (RFC6749) for client authentication. According to RFC6749 Section 2.3.1, authorization servers MAY support including client credentials in the request body. Some OIDC providers require client_id in the request body regardless of the authentication method used (basic or jwks). Adding client_id to the token request body would improve compatibility with such providers while maintaining the current authentication methods.
Related Specifications
OpenID Connect Core 1.0 Section 3.1.3.1 refers to OAuth 2.0 Section 4.1.3 for client authentication at the token endpoint.
OAuth 2.0 (RFC6749) Section 2.3.1 specifies methods for including client credentials in the request body.
Current Behavior
Currently, the gem only sends client credentials via the selected authentication method (basic or jwks):
defaccess_token# ...token_request_params={scope: (options.scopeifoptions.send_scope_to_token_endpoint),client_auth_method: options.client_auth_method}# client_id is not included in request bodyend
Expected Behavior
Always include client_id in the token request body while maintaining the current authentication methods:
defaccess_token# ...token_request_params={scope: (options.scopeifoptions.send_scope_to_token_endpoint),client_auth_method: options.client_auth_method,client_id: client_options.identifier# Always include client_id in request body}# ...end
References
OpenID Connect Core 1.0 Section 3.1.3.1
The Client MUST authenticate with the Token Endpoint using the authentication method as described in Section 4.1.3 of OAuth 2.0 [RFC6749].
RFC6749 Section 2.3.1:
"Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters:
client_id REQUIRED. The client identifier issued to the client during the registration process"
EntraID seems to require this - I'm not sure whether this is a new requirement or not, but I can't seem to get the microsoft specific strategies to work either.
Also, as per the spec, client_secret is needed too, so
defaccess_token# ...token_request_params={scope: (options.scopeifoptions.send_scope_to_token_endpoint),client_auth_method: options.client_auth_method,client_id: client_options.identifier,# Always include client_id in request bodyclient_secret: client_options.secret}# ...end
Description
OpenID Connect Core 1.0 refers to OAuth 2.0 (RFC6749) for client authentication. According to RFC6749 Section 2.3.1, authorization servers MAY support including client credentials in the request body. Some OIDC providers require client_id in the request body regardless of the authentication method used (basic or jwks). Adding client_id to the token request body would improve compatibility with such providers while maintaining the current authentication methods.
Related Specifications
Current Behavior
Currently, the gem only sends client credentials via the selected authentication method (basic or jwks):
Expected Behavior
Always include client_id in the token request body while maintaining the current authentication methods:
References
RFC6749 Section 2.3.1 Full Text
Additional Considerations
The text was updated successfully, but these errors were encountered: