Skip to content

fix: add auth_methods client_secret_basic for refresh token and revok…#803

Merged
muhlemmer merged 4 commits intozitadel:mainfrom
kufd:fix/auth_methods-client_secret_basic-for-refresh-and-revoke
Mar 2, 2026
Merged

fix: add auth_methods client_secret_basic for refresh token and revok…#803
muhlemmer merged 4 commits intozitadel:mainfrom
kufd:fix/auth_methods-client_secret_basic-for-refresh-and-revoke

Conversation

@kufd
Copy link
Contributor

@kufd kufd commented Sep 30, 2025
edited
Loading

I have an authentication provider that only accepts client secrets from the request headers.

Because of this, the refresh token and revoke token requests fail — the Authorization header is missing.

This PR adds the Authorization header with the client credentials to those requests.
Additionally, I’ve updated how the header is added in other requests to follow the same approach.

I’d appreciate any feedback and am happy to adjust the PR as needed.

@rajatcing rajatcing requested a review from muhlemmer October 1, 2025 09:38
@rajatcing
Copy link

rajatcing commented Oct 1, 2025

cc @elinashoko

@elinashoko
Copy link

elinashoko commented Oct 7, 2025

heya @kufd thank you for your contribution, we'll review as soon as we can!

@elinashoko elinashoko moved this to 📋 Sprint Backlog in Product Management Oct 7, 2025
muhlemmer
muhlemmer reviewed Oct 22, 2025
View reviewed changes
Copy link
Collaborator

@muhlemmer muhlemmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kufd, can you plead amend the description of you PR and clearly state:

  • What is the bug being solved. Preferably an issue with a reproducible case
  • How is the bug solved

It's hard to understand the problem and the fix looking at the code alone.

@kufd
Copy link
Contributor Author

kufd commented Oct 22, 2025

@muhlemmer Could you please take a look at the PR description?
I’ve updated it — I hope it looks better now.

@elinashoko elinashoko moved this from 📋 Sprint Backlog to 👀 In review in Product Management Nov 24, 2025
@elinashoko
Copy link

elinashoko commented Jan 8, 2026

@muhlemmer pls have a look

@elinashoko
Copy link

elinashoko commented Jan 22, 2026

@muhlemmer ping pls

@muhlemmer muhlemmer self-requested a review January 26, 2026 10:18
muhlemmer
muhlemmer requested changes Feb 17, 2026
View reviewed changes
Copy link
Collaborator

@muhlemmer muhlemmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change looks good, thanks. One small formatting comment.

example/client/device/device.go Outdated
"time"

"github.com/sirupsen/logrus"
"github.com/zitadel/oidc/v3/pkg/oidc"
Copy link
Collaborator

@muhlemmer muhlemmer Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move the import to the lower block, with the other same-module import.

Copy link
Contributor Author

@kufd kufd Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done
Could you please take a look

@elinashoko
Copy link

elinashoko commented Mar 2, 2026

@muhlemmer pls review this again, thanks!

@muhlemmer muhlemmer self-requested a review March 2, 2026 18:53
@muhlemmer muhlemmer enabled auto-merge (squash) March 2, 2026 19:12
@muhlemmer muhlemmer merged commit 811e8b2 into zitadel:main Mar 2, 2026
4 checks passed
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Done in Product Management Mar 2, 2026
@github-actions
Copy link

github-actions bot commented Mar 2, 2026

🎉 This PR is included in version 3.45.5 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@suqin-haha
Copy link

suqin-haha commented Mar 11, 2026

is this PR cause the problem (at least for Okta)?
ErrorType=invalid_request Description=Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body

@muhlemmer @kufd @elinashoko

@muhlemmer
Copy link
Collaborator

muhlemmer commented Mar 11, 2026

@suqin-haha if you're experiencing problems after upgrading this library in your app, please open an issue with clear steps to reproduce, so we can investigate.

@kufd
Copy link
Contributor Author

kufd commented Mar 11, 2026

I would like to confirm that in this pull request I have added client credentials to the headers for the refresh token and revoke token requests. As a result, the client credentials are now present in both the request body and the headers.

For the device authorization request and the device access token request, the client credentials were already included in both places (body and headers) before this PR.

@suqin-haha suqin-haha mentioned this pull request Mar 12, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@muhlemmer muhlemmer muhlemmer approved these changes

Assignees

No one assigned

Labels

os-contribution released

Projects

Product Management
Status: ✅ Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@kufd @rajatcing @elinashoko @suqin-haha @muhlemmer @hifabienne