add support for client auth methods that require client secret

JaneJeon · JaneJeon · commit 8619fa7fa69e · 2023-08-31T10:16:39.000+01:00
diff --git a/.env b/.env
@@ -42,6 +42,10 @@ OIDC_CLIENT_ID=
 OIDC_ISSUER_BASE_URL=
 OIDC_HTTP_TIMEOUT=15 seconds
 
+### Optional OIDC Config - the values here will work for most people; however, in some cases, you may need to set the secret.
+OIDC_CLIENT_SECRET=
+OIDC_TOKEN_ENDPOINT_AUTH_METHOD=none
+
 ## OAuth2 Config for API access to Blink; disable if you don't use this
 OAUTH2_ENABLED=true
 OAUTH2_JWT_ALGORITHMS=RS256
diff --git a/middlewares/passport.js b/middlewares/passport.js
@@ -20,10 +20,13 @@ Issuer.discover(process.env.OIDC_ISSUER_BASE_URL)
 
     client = new issuer.Client({
       client_id: process.env.OIDC_CLIENT_ID,
+      client_secret: process.env.OIDC_CLIENT_SECRET || undefined, // you shouldn't need this in most cases
       redirect_uris: [`${process.env.BASE_URL}/auth/login/callback`],
       response_types: ['code'], // can't use implicit flow because #this-part-gets-stripped-away
       id_token_signed_response_alg: 'RS256', // since RS256 is asymmetric encryption, we can safely use
-      token_endpoint_auth_method: 'none' // this - we can verify the token w/o having the secret key!
+      token_endpoint_auth_method:
+        // this - we can verify the token w/o having the secret key!
+        process.env.OIDC_TOKEN_ENDPOINT_AUTH_METHOD || 'none'
     })
 
     passport.use(
diff --git a/website/docs/2. Installation/2.1 Prerequisites.md b/website/docs/2. Installation/2.1 Prerequisites.md
@@ -66,5 +66,5 @@ The reason we are able to use the token endpoint without authenticating with the
 
 And as the asymmetric signing algorithm may suggest, this means that Blink is indeed a public application [(which means a very specific thing in the OAuth2 spec)](https://auth0.com/docs/configure/applications/confidential-public-apps), not expected to hold any secrets. Therefore, you should ensure that the OIDC provider does support public applications like this.
 
-~~_themoreyouknow.gif_~~
+**However**, in some rare cases, the OIDC provider may still require a client secret even though it supports asymmetric signing algorithms (e.g. Google Workspace). In that case, you can specify an alternate client authentication method (because remember, `none` means no secret is ever sent out) by specifying `OIDC_TOKEN_ENDPOINT_AUTH_METHOD` to something else (again, please check your provider's well-known endpoint to see which methods are supported), and specify the `OIDC_CLIENT_SECRET` environment variable.
 :::
