OIDC : issue on token endpoint with method client_secret_basic
Hi, I have an issue when trying to get the tokens on token endpoint with the client_secret_basic method.
This has been tested with a client application and the Postman process to get an access token.
The issue is "invalid_request" with the error in the logs "Multiple client authentication methods used".
In OpenIDConnect.pm, we have the code below :
sub getEndPointAuthenticationCredentials {
my ( $self, $req ) = @_;
my ( $client_id, $client_secret );
my $authorization = $req->authorization;
if ( $authorization and $authorization =~ /^Basic (\w+)/i ) {
$self->logger->debug("Method client_secret_basic used");
eval {
( $client_id, $client_secret ) =
split( /:/, decode_base64($1) );
};
$self->logger->error("Bad authentication header: $@") if ($@);
# Using multiple methods is an error
if ( $req->param('client_id') ) {
$self->logger->error("Multiple client authentication methods used");
( $client_id, $client_secret ) = ( undef, undef );
}
}
elsif ( $req->param('client_id') and $req->param('client_secret') ) {
$self->logger->debug("Method client_secret_post used");
$client_id = $req->param('client_id');
$client_secret = $req->param('client_secret');
}
elsif ( $req->param('client_id') and !$req->param('client_secret') ) {
$self->logger->debug("Method none used");
$client_id = $req->param('client_id');
}
return ( $client_id, $client_secret );
}
The problem come from that if the client_id is present in the request body and in the Authorization header, the error is put. But, in this case, the client_id can be part of the body request. It's not an authentication from the body because the client_secret is not in the request body.
This change can been done :
sub getEndPointAuthenticationCredentials {
my ( $self, $req ) = @_;
my ( $client_id, $client_secret );
my $authorization = $req->authorization;
if ( $authorization and $authorization =~ /^Basic (\w+)/i ) {
$self->logger->debug("Method client_secret_basic used");
eval {
( $client_id, $client_secret ) =
split( /:/, decode_base64($1) );
};
$self->logger->error("Bad authentication header: $@") if ($@);
# Using multiple methods is an error
if ( $req->param('client_id') and $req->param('client_secret') ) {
$self->logger->error("Multiple client authentication methods used");
( $client_id, $client_secret ) = ( undef, undef );
}
}
elsif ( $req->param('client_id') and $req->param('client_secret') ) {
$self->logger->debug("Method client_secret_post used");
$client_id = $req->param('client_id');
$client_secret = $req->param('client_secret');
}
elsif ( $req->param('client_id') and !$req->param('client_secret') ) {
$self->logger->debug("Method none used");
$client_id = $req->param('client_id');
}
return ( $client_id, $client_secret );
}
Thank you for the update you can do