Pass oidc client id in the body if no client secret provided

we already are doing this for OidcDeviceAuthorization, so let's do it in general. Currently keystoneauth is broken for some providers after I2392ef51302804c0c66c0fb52227db5f35bca3fd OpenID Connect spec lists that client auth should be passed either in the header as HTTP basic auth, or in the request body https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication With this patch it should work for all variations in providers I've witnessed personally, including the "onelogin" mentioned in I2392ef51302804c0c66c0fb52227db5f35bca3fd. Change-Id: I70fcf7f1eeeeebc621bfd52787bb8d8adb322e67 Closes-Bug: #2078437 (cherry picked from commit 796c999bf0)
2024-08-30 14:02:44 +03:00
parent 8a5fec1116
commit bd152b19f7
1 changed files with 5 additions and 1 deletions
--- a/keystoneauth1/identity/v3/oidc.py
+++ b/keystoneauth1/identity/v3/oidc.py
@@ -189,7 +189,11 @@ class _OidcBase(federation.FederationBaseAuth, metaclass=abc.ABCMeta):
                           'password': self.password, 'scope': self.scope}
        :type payload: dict
        """
-        client_auth = (self.client_id, self.client_secret)
+        if self.client_secret:
+            client_auth = (self.client_id, self.client_secret)
+        else:
+            client_auth = None
+            payload.setdefault('client_id', self.client_id)
        access_token_endpoint = self._get_access_token_endpoint(session)

        op_response = session.post(access_token_endpoint,