evert
commented
10 months ago This makes sense. We basically need to take the 'client_secret_post' path whenever there's no client_secret. This is probably a regression since 2.1.0, so downgrading to 2.0.18 probably temporarily fixes this.
I want to use OAuth public client with code flow and PKCE. The issue is with token request, which must include client_id in this case according to the https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3. This library adds the client_id to the token request only if the "settins.authenticationMethod" equals to "client_secret_post" which is wrong IMO. It should be added even if no authenticationMethod is used. Another issue is if I do not provide "authenticationMethod" in settings, this library will use the first authentication method from OAuth server metadata (token_endpoint_auth_methods_supported). For example, if the server metadata contains ["client_secret_basic"], then the library will include Authorization HTTP header with basic authentication even if I do not intend to use any.