You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Satosa OIDC backend plugin fails to respect the token_endpoint_authn_methods_supported configuration from the OpenID Connect Provider during the token request, defaulting to client_secret_basic regardless of the provider's supported authentication methods.
Code Version
8.4.0
Expected Behavior
The Satosa OIDC backend plugin, when configured for Dynamic Discovery, should retrieve the supported token endpoint authentication methods from the OpenID Connect Provider's configuration (.well-known/openid-configuration endpoint) and use the appropriate method for the token request, as specified by the provider
Current Behavior
The plugin currently queries the wrong key (token_endpoint_authn_method) from the Provider configuration. According to the OpenID Provider Configuration Response specification, the correct key should be token_endpoint_authn_methods_supported. This leads to Satosa defaulting to the client_secret_basic method for token endpoint authentication, regardless of what is specified by the provider.
Steps to Reproduce
Configure Satosa OIDC backend plugin for Dynamic Discovery with an OpenID Connect Provider that supports client_secret_post (or any method other than client_secret_basic).
Initiate the OpenID Connect flow and observe the token request.
Satosa sends the request using the client_secret_basic method, despite the provider supporting a different authentication method (e.g., client_secret_post).
The text was updated successfully, but these errors were encountered:
Satosa OIDC backend plugin fails to respect the
token_endpoint_authn_methods_supportedconfiguration from the OpenID Connect Provider during the token request, defaulting toclient_secret_basicregardless of the provider's supported authentication methods.Code Version
8.4.0
Expected Behavior
The Satosa OIDC backend plugin, when configured for Dynamic Discovery, should retrieve the supported token endpoint authentication methods from the OpenID Connect Provider's configuration (
.well-known/openid-configurationendpoint) and use the appropriate method for the token request, as specified by the providerCurrent Behavior
The plugin currently queries the wrong key (
token_endpoint_authn_method) from the Provider configuration. According to the OpenID Provider Configuration Response specification, the correct key should betoken_endpoint_authn_methods_supported. This leads to Satosa defaulting to theclient_secret_basicmethod for token endpoint authentication, regardless of what is specified by the provider.Steps to Reproduce
client_secret_post(or any method other thanclient_secret_basic).client_secret_basicmethod, despite the provider supporting a different authentication method (e.g.,client_secret_post).The text was updated successfully, but these errors were encountered: