Skip to content

fix: remove Authorization header for public clients in OAuth2 token exchange #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rcdailey wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: remove Authorization header for public clients in OAuth2 token exchange #61

rcdailey wants to merge 1 commit into from

Conversation

@rcdailey
Copy link

@rcdailey rcdailey commented Nov 22, 2025

Summary

Public OAuth2 clients using PKCE should not send Authorization headers during token exchange per RFC 7636. This was causing token refresh failures with external OIDC providers like Authelia and Zitadel.

Changes

  • Made clientAuth nullable in TokenRequest and TokenRequestParams
  • Added conditional Authorization header logic in TokenRequestRemoteOperation (only adds header when clientAuth is non-null and non-empty)
  • Added isTokenEndpointAuthMethodNone() helper method in OIDCServerConfiguration to detect public clients
  • Updated LoginActivity to set clientAuth = null for public clients based on token_endpoint_auth_method from OIDC discovery
  • Updated AccountAuthenticator refresh token flow with same logic for consistent behavior

Testing

Tested with Authelia OIDC provider configured with token_endpoint_auth_method: none. Both initial token exchange and token refresh now work correctly without sending the incorrect Authorization header.

RFC Compliance

This change ensures compliance with RFC 7636 (PKCE) and RFC 6749 (OAuth 2.0), which specify that public clients should only send form parameters (client_id, code, code_verifier, redirect_uri, grant_type) during token exchange, with no Authorization header.

Related to #55

@rcdailey
fix: remove Authorization header for public clients in OAuth2 token e…
76c2aef 
…xchange

Public OAuth2 clients using PKCE should not send Authorization headers during
token exchange per RFC 7636. This was causing token refresh failures with
external OIDC providers like Authelia and Zitadel.

Changes:
- Made clientAuth nullable in TokenRequest and TokenRequestParams
- Added conditional Authorization header in TokenRequestRemoteOperation
- Added isTokenEndpointAuthMethodNone() helper in OIDCServerConfiguration
- Updated LoginActivity and AccountAuthenticator for public client auth

Related to opencloud-eu#55
@guruz guruz requested a review from schweigisito November 25, 2025 10:57
@kulmann kulmann requested a review from guruz November 27, 2025 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schweigisito schweigisito Awaiting requested review from schweigisito

@guruz guruz Awaiting requested review from guruz

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rcdailey