Hi,
Any AppAuth users here? I have implemented a generic support for OpenID Connect using the AppAuth framework for my apps. I have used the easy way of fetching the configuration document from the IDP and let that control the connection.
Now I have a IDP that say that we must use client_secret_jwt, and they will not allow anything else. But in the config document they list all available auth methods like this:
"token_endpoint_auth_methods_supported" = (
"client_secret_basic",
"client_secret_jwt",
"client_secret_post",
"private_key_jwt")
So my client uses the client_secret_basic and later gets rejected. Since I've not used the req auth method. The reason is that they want to phase out the use of _basic and _post, but they have some legacy system they must support.
I haven't found anything documented about the logic behind what auth method AppAuth uses, but my guess it starts at the top of the list and uses the first one suggested?
Is there a way for me to force AppAuth to only use client_secret_jwt regardless of what the config document say?
If anyone know a better forum to ask this, please let me know!