Make Client authentication extensible and support client_secret_jwt

[ritou]

Abstract

There are several types of Client authentication defined for use when making a request to the Token Endpoint in OAuth 2.0. These are named "client_secret_basic", "client_secret_post", "client_secret_jwt", etc. in OpenID Connect and RFC8414.

Currently, only Client Credentials supports multiple Client authentications, the others are only "client_secret_basic". This PR supports "client_secret_post" and "client_secret_jwt" for all GrantType. It is also compatible with implementations that already use "request_body(client_secret_post)" for Client Credentials.

Related Specs

• OpenID Connect Core 1.0 incorporating errata set 1
• RFC8414 - OAuth 2.0 Authorization Server Metadata
• RFC7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

[lukyanov]

Absolutely great changes here! I'd love to see them merged.

[mustela]

Hello there! Any plan to merge this soon? 🙏🏼

[ritou]

Those functions added, do they need to be public functions, or are they meant to be used only inside the package scope?

This should be a public function of "OAuth2.Client". This will also be needed when developers create new standardized or proprietary strategies.

[github-actions[bot]]

This pull request has been automatically marked as "stale:discard". If this pull request is still relevant, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize reviewing it yet. Your contribution is very much appreciated!.

[github-actions[bot]]

Closing this pull request after a prolonged period of inactivity. If this issue is still relevant, please ask for this pull request to be reopened. Thank you!