Closed jwbennet closed 4 years ago
We are implementing a CLI using an authorization code grant which does not use a client secret.
So use the appropriate token_endpoint_auth_method “none”.
Or use an http customizer to add your empty strings to bodies or replace the authorization header.
I will not be allowing what looks like a way to get bugs accepted in developer code.
Sounds good, thank you for the response! I would prefer to use that auth method but my provider does not support it. The HTTP customizer approach seems to work well. If anyone else tries something similar make sure to update the content-length
header when modifying the body like the got
project's hook documentation suggests,
We are using an OIDC provider which only supports
client_secret_post
orclient_secret_basic
for the token endpoint auth methods. We are implementing a CLI using an authorization code grant which does not use a client secret. For this to work we need to explicitly send along a client secret, but it needs to be an empty string. The following two spots are throwing errors in this case:https://github.com/panva/node-openid-client/blob/master/lib/helpers/client.js#L62 https://github.com/panva/node-openid-client/blob/master/lib/helpers/client.js#L95
Would it be acceptable to submit a PR to change those two spots to explicitly check for
null
orundefined
so we can pass through an empty string? If so I'd be happy to submit one.