Migrating from v5 to v6 - authentication issue

[amlord]

Hello!

I'm banging my head against the wall, as I can't work out what I'm doing wrong...

Migrating from v5 (works fine):

  const oidcClient = new issuer.Client(
    {
      client_id: clientId,
      response_types: ['code'],
      grant_types: ["authorization_code", "refresh_token"],
      redirect_uris: [`${baseUrl}/api/oidc/callback`],
      post_logout_redirect_uris: [`${baseUrl}/api/oidc/sign-out`],
      token_endpoint_auth_method: "private_key_jwt",
    },
    { keys: jwks },
  );

  const authPayload = await oidcClient.pushedAuthorizationRequest({
    scope: 'oidc',
    response_type: 'code',
    response_mode: "jwt",
    state,
    nonce,
    code_challenge: generators.codeChallenge(codeVerifier),
    code_challenge_method: "S256",
    redirect_uri: redirectUri.href,
  });

  const url = oidcClient.authorizationUrl(authPayload);

What I'm attempting in v6:

  oidcClientConfig = await OIDCClient.discovery(
    new URL(providerUrl),
    clientId,
    {
      grant_types: ["authorization_code", "refresh_token"],
      token_endpoint_auth_method: "private_key_jwt",
      client_secret: jwks[0] // I'm assuming this is wrong?
    }
  )
  const authPayload: Record<string, string> = {
    scope: finalScope,
    response_type: 'code',
    response_mode: 'jwt',
    state,
    nonce,
    code_challenge,
    code_challenge_method: 'S256',
    redirect_uri: redirectUri.href,
  };

  /**
   * We cannot be sure the AS supports PKCE so we're going to use state too. Use
   * of PKCE is backwards compatible even if the AS doesn't support it which is
   * why we're using it regardless.
   */
  if (!oidcClientConfig.serverMetadata().supportsPKCE()) {
    state = OIDCClient.randomState()
    authPayload.state = state
  }
  
  const redirectTo = await OIDCClient.buildAuthorizationUrlWithPAR(oidcClientConfig, authPayload)

The keep getting this error:

  cause: {
    error: 'invalid_client',
    error_description: 'client authentication failed'
  },
  code: 'OAUTH_RESPONSE_BODY_ERROR',
  error: 'invalid_client',

I've tried setting client_secret as a string, JWK, and even empty, but get the same error each time.

Apologies if I've missed something simple!!

[panva]

Does this help?

https://github.com/panva/openid-client/blob/v6.5.1/docs/functions/PrivateKeyJwt.md#examples