Support for Basic Auth Client Authentication with client_id Only

[vmwhol]

trafficstars

I'm currently using the oidc-client-ts library for implementing OAuth 2.0 authorization code flow with PKCE in a React frontend application. The VMWare CSP identity provider I'm working with requires the client_id to be included in the Basic Auth header during the access token request, even if there's no client_secret provided. More specifically, the IDP requires a Base64 string of <client_id>:<empty_value> to be passed in as Basic Auth header during the request

However, the oidc-client-ts library currently supports client authentication using the Basic Auth header with both the client_id and client_secret. It does not provide an option to include the client_id only in the Basic Auth header without a client_secret.

I would like to request support for including the client_id in the Basic Auth header during the access token request, even when no client_secret is provided. This would ensure compliance with the requirements of the VMWare CSP identity provider and other similar implementations.

I also want to seek clarification on whether what this IDP requires is spec compliant, so that I may get them to change their procedures instead.

If there's an easy work-around to this, I would love to know it as well, as I'm currently forced to fork the library in order to get it to work.

Thank you for your support.

[pamapa]

I guess you mean this https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2.

The code affecting this is here: https://github.com/authts/oidc-client-ts/blob/2533ed255d4aee40a97053ee57343bda9894c426/src/TokenClient.ts#L108-L113

I guess if (!client_secret) { does not work for empty, you will need to check if change this to if (client_secret === undefined) { make it work for you...