Feature request: Add client_secret on Generic OAuth 2.0 Client

[ricardo-a-alves-alb]

Our in-house OAuth provider requires that we send the client_secret on the validateAuthorizationCode method.

Is it possible to add such feature? There are some internal providers that use this so I think it would make sense to be able to do it on Generic OAuth 2.0 Client aswell.

Example (Apple Provider):

arctic/src/providers/apple.ts

Lines 49 to 50 in bbf6128

	const clientSecret = await this.createClientSecret();
	body.set("client_secret", clientSecret);

[pilcrowonpaper]

I've come around to the idea, but I don't have an API that I really like.

Not a big fan of magic strings:

const client = new arctic.OAuth2Client(clientId, clientSecret, redirectURI, arctic.OAuth2AuthenticationMethod.HTTPBasic);
const client = new arctic.OAuth2Client(clientId, clientSecret, redirectURI, arctic.OAuth2AuthenticationMethod.Body);

Too much duplicate code:

const client = new arctic.OAuth2PublicClient();
const client = new arctic.OAuth2ClientHTTPBasicAuth();
const client = new arctic.OAuth2ClientBodyAuth();

interface OAuth2Client {
  createAuthorizationCode(/* ... */): URL;
  validateAuthorizationCode(/* ... */): OAuth2Tokens;
}

Wordy but works. Might be able to support client assertion?

const authentication = new arctic.OAuth2HTTPBasicAuthenticationStrategy(clientSecret);
const authentication = new arctic.OAuth2RequestBodyAuthentication(clientSecret);
const client = new arctic.OAuth2Client(clientId, redirectURI, authentication);

interface OAuth2Authentication {
  setCredentials(request: Request): void;
}

Simple but wordy:

await client.validateAuthorization(); // http basic
await client.validateAuthorizationWithClientSecret(); 

await client.refreshAccessToken(); // http basic
await client.refreshAccessTokenWithClientSecret(); 

await client.revokeToken(); // http basic
await client.revokeTokenWithClientSecret(); 

[ricardo-a-alves-alb]

While I think this would be the best option, it would be a breaking change:

Wordy but works. Might be able to support client assertion?

const authentication = new arctic.OAuth2HTTPBasicAuthenticationStrategy(clientSecret);
const authentication = new arctic.OAuth2RequestBodyAuthentication(clientSecret);
const client = new arctic.OAuth2Client(clientId, redirectURI, authentication);

interface OAuth2Authentication {
  setCredentials(request: Request): void;
}

I believe this would be the best option to be fair, would not break the current implementation and the only change needed would be adding these methods, keeping the constructor as-is.

Simple but wordy:

await client.validateAuthorization(); // http basic
await client.validateAuthorizationWithClientSecret(); 

await client.refreshAccessToken(); // http basic
await client.refreshAccessTokenWithClientSecret(); 

await client.revokeToken(); // http basic
await client.revokeTokenWithClientSecret();

Provide your input on your thoughts and I'll make the changes on the Pull Request associated with this issue.

Note: If we agree on going the last route, I suggest renaming the parameter clientPassword to clientSecret.

[ricardo-a-alves-alb]

Made the changes in the PR. Waiting for your review @pilcrowonpaper