Closed javigonz closed 3 years ago
This makes little sense to me. If you don't have a secret issued use the token_endpoint_auth_method client property none
. Otherwise, secret is required for the client_secret based authentication methods.
According to your documentation, as described in RFC6749, client_id
and client_secret
are required but Client may omit client_secret
if is a empty string, so I think that you are not according with the official documentation.
client_id
REQUIRED. The client identifier issued to the client during
the registration process described by Section 2.2.
client_secret
REQUIRED. The client secret. The client MAY omit the
parameter if the client secret is an empty string.
@panva is correct here, it might be due to next-auth
not exposing an option you need. I'll look into how we could expose all relevant openid-client
options on our side.
This lib is fantastic! 🙏
Describe the bug We are working in a provider which only supports
client_secret_post
orclient_secret_basic
for the token endpoint auth methods, and the authorization code grant which does not use aclient_secret
parameter.As it said in the offical OAuth 2.0 Authorization Framework documentation (https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1), The client MAY omit the parameter if the client secret is an empty string.
But having a look to the code (lib/helpers/client.js), into
authFor
method this is not happens by default, it setclient_secret
parameter mandatory. I mean, ifclient_secret
is an empty string it should return an object with justclient_id
and if not leave it as it is now, but that not happens in this code, so I think it does not conform to the standard as I mentioned before.To Reproduce Set a client with
token_endpoint_auth_method: 'client_secret_basic'
, set theclient_id
and theclient_secret
to an empty string. Some kind of message like this is showed:Environment: System: OS: macOS 11.5.2 CPU: (8) x64 Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz Memory: 326.37 MB / 16.00 GB Shell: 5.8 - /bin/zsh Binaries: Node: 12.13.0 - /usr/local/bin/node Yarn: 1.19.1 - ~/.yarn/bin/yarn npm: 6.9.0 - /usr/local/bin/npm Watchman: 4.9.0 - /usr/local/bin/watchman Browsers: Chrome: 95.0.4628.3 Safari: 14.1.2 npmPackages: next: ^11.1.0 => 11.1.0 next-auth: 4.0.0-beta.2 => 4.0.0-beta.2 react: ^17.0.2 => 17.0.2