OpenID Connect Core 1.0 refers to OAuth 2.0 (RFC6749) for client authentication. According to RFC6749 Section 2.3.1, authorization servers MAY support including client credentials in the request body. Some OIDC providers require client_id in the request body regardless of the authentication method used (basic or jwks). Adding client_id to the token request body would improve compatibility with such providers while maintaining the current authentication methods.
Related Specifications
OpenID Connect Core 1.0 Section 3.1.3.1 refers to OAuth 2.0 Section 4.1.3 for client authentication at the token endpoint.
OAuth 2.0 (RFC6749) Section 2.3.1 specifies methods for including client credentials in the request body.
Current Behavior
Currently, the gem only sends client credentials via the selected authentication method (basic or jwks):
def access_token
# ...
token_request_params = {
scope: (options.scope if options.send_scope_to_token_endpoint),
client_auth_method: options.client_auth_method
}
# client_id is not included in request body
end
Expected Behavior
Always include client_id in the token request body while maintaining the current authentication methods:
def access_token
# ...
token_request_params = {
scope: (options.scope if options.send_scope_to_token_endpoint),
client_auth_method: options.client_auth_method,
client_id: client_options.identifier # Always include client_id in request body
}
# ...
end
References
OpenID Connect Core 1.0 Section 3.1.3.1
The Client MUST authenticate with the Token Endpoint using the authentication method as described in Section 4.1.3 of OAuth 2.0 [RFC6749].
RFC6749 Section 2.3.1:
"Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters:
client_id REQUIRED. The client identifier issued to the client during the registration process"
Description
OpenID Connect Core 1.0 refers to OAuth 2.0 (RFC6749) for client authentication. According to RFC6749 Section 2.3.1, authorization servers MAY support including client credentials in the request body. Some OIDC providers require client_id in the request body regardless of the authentication method used (basic or jwks). Adding client_id to the token request body would improve compatibility with such providers while maintaining the current authentication methods.
Related Specifications
Current Behavior
Currently, the gem only sends client credentials via the selected authentication method (basic or jwks):
Expected Behavior
Always include client_id in the token request body while maintaining the current authentication methods:
References
RFC6749 Section 2.3.1 Full Text
Additional Considerations