Support other status code than 200

[DESOOMERPierre]

Describe the bug Hey there,

I am facing an issue where the provider ( CrowdStrike ) I am trying to connect to returns a status code 201 when requesting the authorization token. The problem is that processResponse always expects a status code 200 and therefore, throws an error. Is there a workaround already implemented?

To Reproduce Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.

public constructor({ tokenEndpoint, clientId, clientSecret, clientAuthentication }: Args) {
    const issuer = new Issuer({
      issuer: "generic_issuer",
      token_endpoint: tokenEndpoint,
      token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
    })
    this.client = new issuer.Client({
      client_id: clientId,
      client_secret: clientSecret,
      token_endpoint_auth_method: clientAuthentication,
    })
  }

Steps to reproduce the behaviour:

1. Using client-credentials and request a crowdstrike endpoint

Expected behaviour The best option I can propose so far is having the possibility to override the expected code by the processResponse function

Environment:

• openid-client version: [5.4.2]

• node version: [18.0.4]

• [x] the bug is happening on latest openid-client too.

• [x] i have searched the issues tracker on github for similar issues and couldn't find anything related.

[panva]

Since RFC6749 says it should be 200 I believe this should be solved with your provider, not downstream in client packages.

[fab-mindflow]

You're right. This is non standard. However, what if the provider can't easily change their authentication server implementation (in this case, returning 200 instead of 201, which can affect other implementation sadly relying on this)?

Is there any option with node-oidc-client we can consider to override the 201 response (ex: lower level HTTP client layer) to avoid going into a custom for this specific provider?

[panva]

Is there any option with node-oidc-client we can consider to override the 201 response

Not that I'm aware of. This is an IdP issue that should be solved by your provider. I won't extend (and maintain) an API surface so that providers can play loose with the standards.

[panva]

FWIW with https://github.com/panva/oauth4webapi you could instantiate a Response from the one you got, with all of its original properties except for a changed http status code before passing it to the appropriate handler.

It's a lower level API module and definitely not for everyone.