The client_secret_basic auth method does not unset the client_id parameter, and instead passes client_id as a body param

[consolibyte]

Here in the code you can see the client_secret getting unset: https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L706

$token_params = array(
            'grant_type' => $grant_type,
            'code' => $code,
            'redirect_uri' => $this->getRedirectURL(),
            'client_id' => $this->clientID,
            'client_secret' => $this->clientSecret
        );
        # Consider Basic authentication if provider config is set this way
        if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported)) {
            $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
            unset($token_params['client_secret']);
        }

However, the client_id still ends up in $token_params and so gets passed in the POST body.

Some providers (e.g. Intuit) will return invalid_client if you include the client_id as a POST body param. You can see Intuit doesn't document client_id here as a param: https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/openid-connect#step-5-exchange-authorization-code-to-obtain-id-token-and-access-token

If you change it to unset the client_id as well it works:

# Consider Basic authentication if provider config is set this way
        if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported)) {
            $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
            unset($token_params['client_secret']);
            unset($token_params['client_id']);
        }

[abulhol]

This is already fixed, @jumbojett could close this issue I guess?