Affected component
Duende.IdentityModel.OidcClient
Version
main (b15ff68)
Describe the bug
PushAuthorizationRequestAsync will by default use ClientCredentialStyle.AuthorizationHeader (as defined here).
Meanwhile, RefreshTokenAsync will by default use ClientCredentialStyle.PostBody (as defined here).
This can cause different ClientCredentialStyles to be used for pushed authorization endpoint and token endpoint, which violates the OIDC spec and gets outright rejected by Authelia and other clients (thus causing auth to fail).
Steps to reproduce
Use OidcClient with OidcClientOptions.TokenClientCredentialStyle set to ClientCredentialStyle.PostBody (the default value) to interact with an Authelia OIDC endpoint and observe that this fails.
Expected behavior
Both PAR and usage of the token endpoint should always use matching ClientCredentialStyles, for example by using also using OidcClientOptions.TokenClientCredentialStyle to determine the ClientCredentialStyle for pushed authorization requests.
Additional context
As discussed in 9p4/jellyfin-plugin-sso#305 this issue currently causes a minor security degradation when this library is used together with an OIDC provider that enforces matching ClientCredentialStyles, as PAR will need to be disabled in that case.
Affected component
Duende.IdentityModel.OidcClient
Version
main (b15ff68)
Describe the bug
PushAuthorizationRequestAsyncwill by default useClientCredentialStyle.AuthorizationHeader(as defined here).Meanwhile,
RefreshTokenAsyncwill by default useClientCredentialStyle.PostBody(as defined here).This can cause different
ClientCredentialStyles to be used for pushed authorization endpoint and token endpoint, which violates the OIDC spec and gets outright rejected by Authelia and other clients (thus causing auth to fail).Steps to reproduce
Use
OidcClientwithOidcClientOptions.TokenClientCredentialStyleset toClientCredentialStyle.PostBody(the default value) to interact with an Authelia OIDC endpoint and observe that this fails.Expected behavior
Both PAR and usage of the token endpoint should always use matching
ClientCredentialStyles, for example by using also usingOidcClientOptions.TokenClientCredentialStyleto determine theClientCredentialStylefor pushed authorization requests.Additional context
As discussed in 9p4/jellyfin-plugin-sso#305 this issue currently causes a minor security degradation when this library is used together with an OIDC provider that enforces matching
ClientCredentialStyles, as PAR will need to be disabled in that case.