Cannot use OAuth2 with crendentials in body

[davidarkemp]

Bug Description

Discovered when trying to authenticate a HTTP Request with OAuth2 against the Podio API.

Authentication against the Podio API requires the client crendentials to be passed in the post BODY (see https://developers.podio.com/authentication/server_side)

For example:

{
  "grant_type": "authorization_code",
  "client_id": "hoppscotch",
  "redirect_uri": "https://hoppscotch.io/oauth",
  "client_secret": "REDACTED",
  "code": "ALSO_REDACTED
}

However, the Oauth2 library always sends the client credentials in the header if there's a client secret present (see https://github.com/n8n-io/n8n/blob/master/packages/%40n8n/client-oauth2/src/CodeFlow.ts#L104).

Would it be possible to respect the "Authenication" type in the UI?

To Reproduce

Find an oauth2 server that requires client credentials in the body and try to get a token from that

Expected behavior

When the "Authentication" is set to "Body", the client_id and client_secret are posted as part of the body object

Operating System

docker

n8n Version

1.67.1

Node.js Version

20.18.0

Database

SQLite (default)

Execution mode

main (default)

[Joffcom]

Hey @davidarkemp,

We have created an internal ticket to look into this which we will be tracking as "GHC-457"

[netroy]

I'm not an expert in oauth, but I wonder if this flow needs to be client_credential instead of authorization_code. Here is the RFC, if you can make sense of it.

[davidarkemp]

@netroy I'll freely admit that this is a slightly off-spec OAuth2.0 Authorization Server, but this format of sending the client credentials in the body as part of the code-exchange is something I've seen in a few other implementations too. It's covered in section 3.2.1 of the RFC IMHO, the OAuth2 Authentication needs to respect when the "Authentication" is set to "Body", or, to meet the specification, this setting needs to be removed from the UI, and the client_secret needs to be made optional.