Basic authentication header is set regardless of use of basic auth?

[jberculo]

In the requestTokens function, the following code was added two years ago:

# Consider Basic authentication if provider config is set this way
if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported)) {
    $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
    unset($token_params['client_secret']);
}

So if client_secret_basic is one of the possible token endpoint authentication methods, that header will be added, regardless if the method is actually used. For example, for Azure I was using client_secret_post, and that failed, because the client_secret token param is also unset.

Or am I missing something here?

[EAnushan]

You can disable it as follows:

$oidc->providerConfigParam([
    'token_endpoint_auth_methods_supported' => []
]);

[devicenull]

I think this ends up breaking logging in with Okta, which throws an error. This was mentioned in #75, but I didn't see a great fix.

Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.

Okta's well-known config reports:

  "token_endpoint_auth_methods_supported": Array[5][
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt",
    "none"
  ],

[abulhol]

This "auto discovery" of the authentication method (Basic vs. POST) is likely not to work properly, I also got stuck on it using OneLogin. Maybe it would be better to remove it altogether, and add a class property authorizationMethod for it and a public setter method. Default should be POST I think.