jumbojett · Magentron · Nov 28, 2022 · Nov 28, 2022 · Dec 30, 2022 · Apr 3, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403
 - Check subject when verifying JWT #406
 - Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed #373
+* Enabled `client_secret_basic` authentication on `requestClientCredentialsToken()` #347
 
 ## [1.0.0] - 2023-12-13
 

diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+NB: This is a fork from [jumbojett/OpenID-Connect-PHP](https://github.com/jumbojett/OpenID-Connect-PHP) to allow client basic authentication on obtaining the access token.
+
 PHP OpenID Connect Basic Client
 ========================
 A simple library that allows an application to authenticate a user through the basic OpenID Connect flow.
@@ -14,7 +16,7 @@ A special thanks goes to Justin Richer and Amanda Anganes for their help and sup
 ## Install ##
 1. Install library using composer
 ```
-composer require jumbojett/openid-connect-php
+composer require magentron/openid-connect-php
 ```
 
 2. Include composer autoloader

diff --git a/composer.json b/composer.json
@@ -1,6 +1,6 @@
 {
-    "name": "jumbojett/openid-connect-php",
-    "description": "Bare-bones OpenID Connect client",
+    "name": "magentron/openid-connect-php",
+    "description": "Bare-bones OpenID Connect client (forked to allow client secret basic authentication on obtaining access token)",
     "license": "Apache-2.0",
     "require": {
         "php": ">=7.0",
@@ -13,6 +13,9 @@
         "roave/security-advisories": "dev-latest",
         "yoast/phpunit-polyfills": "^2.0"
     },
+	"replace": {
+		"jumbojett/openid-connect-php": "<=0.9.10"
+	},
     "archive" : {
         "exclude" : [
             ".*"

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -803,12 +803,12 @@ public function requestClientCredentialsToken() {
         $grant_type = 'client_credentials';
 
         $post_data = [
-            'grant_type'    => $grant_type,
-            'client_id'     => $this->clientID,
-            'client_secret' => $this->clientSecret,
-            'scope'         => implode(' ', $this->scopes)
+            'grant_type' => $grant_type,
+            'scope'      => implode(' ', $this->scopes)
         ];
 
+        $this->setOptionalBasicAuthentication($headers, $post_data);
+
         // Convert token params to string format
         $post_params = http_build_query($post_data, '', '&', $this->encType);
 
@@ -839,13 +839,7 @@ public function requestResourceOwnerToken(bool $bClientAuth = false) {
 
         //For client authentication include the client values
         if($bClientAuth) {
-            $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
-            if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
-                $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
-            } else {
-                $post_data['client_id']     = $this->clientID;
-                $post_data['client_secret'] = $this->clientSecret;
-            }
+            $this->setOptionalBasicAuthentication($headers, $post_data);
         }
 
         // Convert token params to string format
@@ -854,6 +848,23 @@ public function requestResourceOwnerToken(bool $bClientAuth = false) {
         return json_decode($this->fetchURL($token_endpoint, $post_params, $headers), false);
     }
 
+    /**
+     * Use client basic authentication if supported.
+     *
+     * @param array $headers
+     * @param array $post_data
+     * @throws OpenIDConnectClientException
+     */
+    protected function setOptionalBasicAuthentication(&$headers, &$post_data) {
+        $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
+
+        if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
+            $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
+        } else {
+            $post_data['client_id']     = $this->clientID;
+            $post_data['client_secret'] = $this->clientSecret;
+        }
+    }
 
     /**
      * Requests ID and Access tokens