Hi all,

 

I can’t remember if I’ve said this before but it looks like Mojolicious::Plugin::OAuth2 only uses the client_secret_post client authentication method. In the OpenID Connect spec, “client_secret_basic” is actually the default method: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

 

I think that Keycloak checks both the Authorization header and the request body, which is probably why it’s worked so easily with the Koha OpenID Connect auth. I couldn’t find any documentation on this for Keycloak, but I think it’s a safe assumption.

 

Reported the issue on Github: https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2/issues/72. Really it should be a very straight forward change to implement in the plugin.

 

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

 

Office: 02 9212 0899

Online: 02 8005 0595