search

pow-auth / assent

Multi-provider framework in Elixir
https://powauth.com
MIT License
391 stars 45 forks source link

Permit any auth method by default #116

Closed danschultzer closed 1 year ago

danschultzer commented 1 year ago

Working on #115 uncovered this issue.

I'm unsure exactly what's meant in the RFC:

token_endpoint_auth_methods_supported
      OPTIONAL.  JSON array containing a list of client authentication
      methods supported by this token endpoint.  Client authentication
      method values are used in the "token_endpoint_auth_method"
      parameter defined in [Section 2 of [RFC7591]](https://www.rfc-editor.org/rfc/rfc7591#section-2).  If omitted, the
      default is "client_secret_basic" -- the HTTP Basic Authentication
      Scheme specified in [Section 2.3.1](https://www.rfc-editor.org/rfc/rfc8414.html#section-2.3.1) of OAuth 2.0 [[RFC6749](https://www.rfc-editor.org/rfc/rfc6749)].

This PR errs on the side of just allowing any valid auth method if the server doesn't specify any.