oidcc version

3.5.2

Erlang version

26.2.5.13

Elixir version

1.18.4

Summary

https://openid.net/specs/openid-connect-discovery-1_0.html specifies that

token_endpoint_auth_methods_supported
OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].

However, it seems to me that the test at test/oidcc_auth_util_test.erl checks that oidcc returns the no_supported_auth_method error when token_endpoint_auth_methods_supported is unset.

Current behavior

This is also confirmed by my attempt to use this library against Pocket ID. By recompiling Pocket ID to specify token_endpoint_auth_methods_supported in the well-known config, oidcc then stops raising no_supported_auth_method and login works as expected.

How to reproduce

See above (Pocket ID); or use a quirk to erase token_endpoint_auth_methods_supported out of the well-known/openid-configuration of a working provider using client_secret_basic.

Expected behavior

Although it would be possible to specify a quirk (e.g. similar to #392) to insert the missing field for providers that do not set token_endpoint_auth_methods_supported, I believe it would make more sense to default to client_secret_basic (unless I'm missing something, that is), as documented on https://openid.net/specs/openid-connect-discovery-1_0.html.