Description
Satosa OIDC backend plugin fails to respect the token_endpoint_authn_methods_supported configuration from the OpenID Connect Provider during the token request, defaulting to client_secret_basic regardless of the provider's supported authentication methods.
Code Version
8.4.0
Expected Behavior
The Satosa OIDC backend plugin, when configured for Dynamic Discovery, should retrieve the supported token endpoint authentication methods from the OpenID Connect Provider's configuration (.well-known/openid-configuration endpoint) and use the appropriate method for the token request, as specified by the provider
Current Behavior
The plugin currently queries the wrong key (token_endpoint_authn_method) from the Provider configuration. According to the OpenID Provider Configuration Response specification, the correct key should be token_endpoint_authn_methods_supported. This leads to Satosa defaulting to the client_secret_basic method for token endpoint authentication, regardless of what is specified by the provider.
Steps to Reproduce
- Configure Satosa OIDC backend plugin for Dynamic Discovery with an OpenID Connect Provider that supports
client_secret_post(or any method other thanclient_secret_basic). - Initiate the OpenID Connect flow and observe the token request.
- Satosa sends the request using the
client_secret_basicmethod, despite the provider supporting a different authentication method (e.g.,client_secret_post).