Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: Add client_id to token request body to support various OIDC server implementations #194

Open
KOH6 opened this issue Nov 15, 2024 · 1 comment

Comments

@KOH6
Copy link

KOH6 commented Nov 15, 2024

Description

OpenID Connect Core 1.0 refers to OAuth 2.0 (RFC6749) for client authentication. According to RFC6749 Section 2.3.1, authorization servers MAY support including client credentials in the request body. Some OIDC providers require client_id in the request body regardless of the authentication method used (basic or jwks). Adding client_id to the token request body would improve compatibility with such providers while maintaining the current authentication methods.

Related Specifications

  • OpenID Connect Core 1.0 Section 3.1.3.1 refers to OAuth 2.0 Section 4.1.3 for client authentication at the token endpoint.
  • OAuth 2.0 (RFC6749) Section 2.3.1 specifies methods for including client credentials in the request body.

Current Behavior

Currently, the gem only sends client credentials via the selected authentication method (basic or jwks):

def access_token
  # ...
  token_request_params = {
    scope: (options.scope if options.send_scope_to_token_endpoint),
    client_auth_method: options.client_auth_method
  }
  # client_id is not included in request body
end

Expected Behavior

Always include client_id in the token request body while maintaining the current authentication methods:

def access_token
  # ...
  token_request_params = {
    scope: (options.scope if options.send_scope_to_token_endpoint),
    client_auth_method: options.client_auth_method,
    client_id: client_options.identifier  # Always include client_id in request body
  }
  # ...
end

References

  1. OpenID Connect Core 1.0 Section 3.1.3.1

The Client MUST authenticate with the Token Endpoint using the authentication method as described in Section 4.1.3 of OAuth 2.0 [RFC6749].

  1. RFC6749 Section 2.3.1:

"Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters:

  • client_id REQUIRED. The client identifier issued to the client during the registration process"

RFC6749 Section 2.3.1 Full Text

Additional Considerations

  • This change maintains compatibility with standard OIDC providers while adding support for providers that require client_id in the request body
  • The current authentication methods ('basic' and 'jwks') remain unchanged
  • No additional configuration options needed
  • Should add tests to verify client_id is properly included in token requests
@jaark
Copy link

jaark commented Dec 10, 2024

EntraID seems to require this - I'm not sure whether this is a new requirement or not, but I can't seem to get the microsoft specific strategies to work either.
Also, as per the spec, client_secret is needed too, so

def access_token
  # ...
  token_request_params = {
    scope: (options.scope if options.send_scope_to_token_endpoint),
    client_auth_method: options.client_auth_method,
    client_id: client_options.identifier,  # Always include client_id in request body
    client_secret: client_options.secret
  }
  # ...
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants