Support empty client secret for client_secret_post and client_secret_basic?

[jwbennet]

We are using an OIDC provider which only supports client_secret_post or client_secret_basic for the token endpoint auth methods. We are implementing a CLI using an authorization code grant which does not use a client secret. For this to work we need to explicitly send along a client secret, but it needs to be an empty string. The following two spots are throwing errors in this case:

https://github.com/panva/node-openid-client/blob/master/lib/helpers/client.js#L62 https://github.com/panva/node-openid-client/blob/master/lib/helpers/client.js#L95

Would it be acceptable to submit a PR to change those two spots to explicitly check for null or undefined so we can pass through an empty string? If so I'd be happy to submit one.

[panva]

We are implementing a CLI using an authorization code grant which does not use a client secret.

So use the appropriate token_endpoint_auth_method “none”.

Or use an http customizer to add your empty strings to bodies or replace the authorization header.

I will not be allowing what looks like a way to get bugs accepted in developer code.

[jwbennet]

Sounds good, thank you for the response! I would prefer to use that auth method but my provider does not support it. The HTTP customizer approach seems to work well. If anyone else tries something similar make sure to update the content-length header when modifying the body like the got project's hook documentation suggests,