diff --git a/src/Config/Server.php b/src/Config/Server.php index e265702..6201907 100644 --- a/src/Config/Server.php +++ b/src/Config/Server.php @@ -62,7 +62,7 @@ final public function __construct(array $data, bool $strict = false) OidcMeta::TOKEN_TYPES_SUPPORTED => array("legacyPop","dpop"), OidcMeta::RESPONSE_MODES_SUPPORTED => array("query","fragment"), OidcMeta::GRANT_TYPES_SUPPORTED => array("authorization_code","implicit","refresh_token","client_credentials"), - OidcMeta::TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED => ["client_secret_basic"], + OidcMeta::TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED => ["client_secret_basic", "none"], OidcMeta::TOKEN_ENDPOINT_AUTH_SIGNING_ALG_VALUES_SUPPORTED => ["RS256"], OidcMeta::CODE_CHALLENGE_METHODS_SUPPORTED => ["S256"], OidcMeta::DPOP_SIGNING_ALG_VALUES_SUPPORTED => ["RS256"], diff --git a/src/TokenGenerator.php b/src/TokenGenerator.php index 99a8edd..b2cdc75 100644 --- a/src/TokenGenerator.php +++ b/src/TokenGenerator.php @@ -152,12 +152,16 @@ public function respondToRegistration($registration, $privateKey) { */ $registration_access_token = $this->generateRegistrationAccessToken($registration['client_id'], $privateKey); + $token_endpoint_auth_method = $registration['token_endpoint_auth_method'] ?? 'client_secret_basic'; + if (!in_array($token_endpoint_auth_method, ['client_secret_basic', 'none'])) { + $token_endpoint_auth_method = 'client_secret_basic'; + } $registrationBase = array( 'response_types' => array("id_token token"), 'grant_types' => array("implicit"), 'application_type' => 'web', 'id_token_signed_response_alg' => "RS256", - 'token_endpoint_auth_method' => 'client_secret_basic', + 'token_endpoint_auth_method' => $token_endpoint_auth_method, 'registration_access_token' => $registration_access_token, ); diff --git a/tests/unit/Config/ServerTest.php b/tests/unit/Config/ServerTest.php index 7dcd5d7..cd6926c 100644 --- a/tests/unit/Config/ServerTest.php +++ b/tests/unit/Config/ServerTest.php @@ -109,7 +109,7 @@ final public function testServerConfigShouldReturnExpectedValuesWhenSerializedWi 'token_types_supported' => ['legacyPop','dpop'], 'response_modes_supported' => ['query', 'fragment'], 'grant_types_supported' => ['authorization_code', 'implicit', 'refresh_token', 'client_credentials'], - 'token_endpoint_auth_methods_supported' => ['client_secret_basic'], + 'token_endpoint_auth_methods_supported' => ['client_secret_basic', 'none'], 'token_endpoint_auth_signing_alg_values_supported' => ['RS256'], 'display_values_supported' => [], 'claim_types_supported' => ['normal'],