token_endpoint_auth_methods_supported should be optional in OIDC configuration

[gregoire-jianda]

I am currently in the process of configuring my Symfony App to connect with Casdoor.

The Casdoor OIDC discovery is missing the token_endpoint_auth_methods_supported (https://casdoor.org/fr/docs/how-to-connect/oidc-client/), which leads to an OidcConfigurationException in the bundle.

From https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3

token_endpoint_auth_methods_supported OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].

It seems to me that the token_endpoint_auth_methods_supported key should be optional and the parser should default to ['client_secret_basic'] if it is missing ?

[bobvandevijver]

First of all, great issue and description 😃

I must say that I have never seen a provider not supplying this value in their discovery before! I checked with the library this bundle is based on, and they do indeed define the default you mention for this specific configuration value only, so I probably missed that while porting...

Can you check if the latest dev-master (https://github.com/Drenso/symfony-oidc/commit/4688db02a4f77841b2e0615ac922b78e6231e6d6) fixes the issue for you? If it does, I will make sure to tag it!

[gregoire-jianda]

Yes, the latest dev-master fixes the issue! Thanks for your prompt response and this great bundle :)

[bobvandevijver]

Alright, v2.13.1 has been tagged now as well!