[Koha-devel] Mojolicious::Plugin::OAuth2 only uses client_secret_post client authentication method
David Cook
dcook at prosentient.com.au
Mon Mar 20 03:20:32 CET 2023
Hi all,
I can't remember if I've said this before but it looks like
Mojolicious::Plugin::OAuth2 only uses the client_secret_post client
authentication method. In the OpenID Connect spec, "client_secret_basic" is
actually the default method:
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
I think that Keycloak checks both the Authorization header and the request
body, which is probably why it's worked so easily with the Koha OpenID
Connect auth. I couldn't find any documentation on this for Keycloak, but I
think it's a safe assumption.
Reported the issue on Github:
https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2/issues/72. Really
it should be a very straight forward change to implement in the plugin.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Online: 02 8005 0595
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20230320/2e078fec/attachment.htm>
More information about the Koha-devel
mailing list