Requests to token endpoint might fail if browser has "Basic" authentication

[longsleep]

The token requests for confidential clients support a "Basic" auth mode. Thus the Authorization header in those requests has special meaning and might be processed.

Today i ran into the issue, that a user has signed in using Basic authentication to another (unrelated) service on the same web server. Thus starting from this point on, oidc-client-js was sending that Basic authentication credentials as the Authorization header with token requests, making them fail as the IdP interprets the Basic authorization as client_id and client_secret.

Not entirely sure who to blame, but since oidc-client-js is usually not a confidential client, it might be worth investigating if its possible to avoid sending Authorization header with all the requests initiated by oidc-client-js (even if the browser implicitly adds it).

[japharr]

I'm currently facing the same issue, any walkaround?

[longsleep]

@japharr Well, if you control the IdP, you can apply a similar workaround like i did - see https://github.com/Kopano-dev/konnect/commit/2abef24daf203819cb7e1f69f3c94830ae537514 for inspiration.

[japharr]

Okay, thanks @longsleep

[brockallen]

Yea, not sure if I can do anything about that. Sorry.