fix(core): fix OIDC SSO token request failed issue (#7132)

* fix(core): fix OIDC sso token request failed issue fix OIDC sso connector token request failed issue * chore(core): add some comments add some comments * chore: add changeset add changeset * fix(test): fix ut fix ut * refactor: apply suggestions from code review --------- Co-authored-by: Gao Sun <gao@silverhand.io>
2025-04-07 23:01:25 -05:00 · 2025-03-13 13:48:41 +08:00 · 2025-03-13 13:48:41 +08:00 · 7b342f7efc
commit 7b342f7efc
parent 40efc34b68
4 changed files with 24 additions and 14 deletions
--- a/.changeset/dull-dolphins-return.md
+++ b/.changeset/dull-dolphins-return.md
@ -0,0 +1,13 @@
+---
+"@logto/core": patch
+---
+
+remove `client_id` from OIDC SSO connector's token request body for better compatibility
+
+This updates addresses an issue with client authentication methods in the token request process. Previously, the `client_id` was included in the request body while also using the authentication header for client credentials authentication.
+
+This dual method of client authentication can lead to errors with certain OIDC providers, such as Okta, which only support one authentication method at a time.
+
+### Key changes
+
+Removal of `client_id` from request body: The `client_id` parameter has been removed from the token request body. According to the [OAuth 2.0 specification](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3), `client_id` in the body is required only for public clients.
--- a/packages/core/src/saml-application/SamlApplication/index.test.ts
+++ b/packages/core/src/saml-application/SamlApplication/index.test.ts
@ -121,7 +121,7 @@ describe('SamlApplication', () => {
      nock(mockEndpoint)
        .post(
          '/token',
-          `grant_type=authorization_code&code=${mockCode}&client_id=${mockSamlApplicationId}&redirect_uri=${encodeURIComponent(
+          `grant_type=authorization_code&code=${mockCode}&redirect_uri=${encodeURIComponent(
            samlApp.config.redirectUri
          )}`
        )
--- a/packages/core/src/sso/OidcConnector/utils.test.ts
+++ b/packages/core/src/sso/OidcConnector/utils.test.ts
@ -163,7 +163,6 @@ describe('fetchToken', () => {
      body: new URLSearchParams({
        grant_type: 'authorization_code',
        code: data.code,
-        client_id: oidcConfig.clientId,
        redirect_uri: redirectUri,
      }).toString(),
      headers: {
--- a/packages/core/src/sso/OidcConnector/utils.ts
+++ b/packages/core/src/sso/OidcConnector/utils.ts
@ -56,25 +56,23 @@ export const fetchOidcConfig = async (
  }
 };

+type HandleTokenExchangePayload = {
+  code: string;
+  clientId: string;
+  clientSecret: string;
+  redirectUri?: string;
+};
+
 export const handleTokenExchange = async (
  tokenEndpoint: string,
-  {
-    code,
-    clientId,
-    clientSecret,
-    redirectUri,
-  }: {
-    code: string;
-    clientId: string;
-    clientSecret: string;
-    redirectUri?: string;
-  }
+  { code, clientId, clientSecret, redirectUri }: HandleTokenExchangePayload
 ) => {
  const tokenRequestParameters = new URLSearchParams({
    grant_type: 'authorization_code',
    code,
-    client_id: clientId,
    ...(redirectUri ? { redirect_uri: redirectUri } : {}),
+    // No need to pass `client_id` and `client_secret` as it is already in the Authorization header
+    // For some providers like Okta, passing `client_id` in the body while using client credentials authorization header will cause an error
  });

  const headers = {