Hi all,
I can’t remember if I’ve said this before but it looks like Mojolicious::Plugin::OAuth2 only uses the client_secret_post client authentication method. In the OpenID Connect spec, “client_secret_basic” is actually the default method: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
I think that Keycloak checks both the Authorization header and the request body, which is probably why it’s worked so easily with the Koha OpenID Connect auth. I couldn’t find any documentation on this for Keycloak, but I think it’s a safe assumption.
Reported the issue on Github: https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2/issues/72. Really it should be a very straight forward change to implement in the plugin.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Online: 02 8005 0595