Add support for other token_endpoint_auth_method methods that require a secret (OIDC)

[Mavyre]

Disclaimers

• Before filing this report, I have read the documentation fully and followed it.
• I understand that if the "issue" is something that is already answered by the documentation and/or are caused by me not reading the documentation, the issue will be blocked and/or locked (with the implicit explanation being to "go read the docs"), and I may not be able to open another issue for this repository ever again.

Issue Description

Describe the bug
Try to set up OIDC with Google Workspace. Google OIDC is requiring a client_secret to authenticate, and Blink doesn't provide one. It gives the following error after authentication:

invalid_request (client_secret is missing.)

Deployment Method
Using docker compose and .env provided in this directory. Modified .env with my Client ID and Google's authentication URL.
FYI, https://accounts.google.com is Google Base URL

To Reproduce
Steps to reproduce the behavior:

Setup OIDC with Google Workspace.
Try to log in.

Expected behavior
Should be able to add an OIDC Client Secret to authenticate against external OIDC providers

[JaneJeon]

It looks like google workspace doesn't support token_endpoint_auth_method of none (Blink requires it, see https://docs.blink.rest/Installation/2.1%20Prerequisites#oidc-protocol), which doesn't need to pass secrets due to asymmetric key signing (e.g. RSA family of encryption algorithms).

In fact, if you take a closer look at the configuration, you might've noticed that you don't/can't even specify the OIDC secret: https://github.com/JaneJeon/blink/blob/master/.env#L40

Checking the .well-known endpoint (as outlined in Blink's documentation) for google auth seems to confirm that none is not a supported method: https://accounts.google.com/.well-known/openid-configuration

Therefore, if you want to use google as your OIDC provider, some google-specific changes will need to be made to the OIDC client configuration provider: https://github.com/JaneJeon/blink/blob/master/middlewares/passport.js#L21 (I say google-speciific here, because most OIDC providers that allow RS256 - an asymmetric encryption method - also allow token_endpoint_auth_method of none, as you do not need a secret key to verify the authenticity of the JWT).

Now, I don't have access to a google workspace, so I won't be able to test it, but if you were to add optional support for client_secret (probably read value of process.env.OIDC_CLIENT_SECRET or something of the like; see the link above for where it would be added), it should theoretically support google workspace.

Would you be interested in testing such a change against google workspace OIDC?

[Mavyre]

Ew, sorry I didn't comment earlier, but I indeed managed to login with Google Workspace. I modified passport.js, token_endpoint_auth_method to client_secret_basic and hardcoded the value of client_secret with my Client Secret.

And it works. Really great!

One little suggestion: switch the token_endpoint_auth_method from none to client_secret_basic if a process.env.OIDC_CLIENT_SECRET is set should do the trick for most of the OIDC providers!

[JaneJeon]

Excellent to hear that works, I will create the fix and release it after my morning routine, and notify you once it's done.

[JaneJeon]

Hello, it is now released (release v1.4.0): https://github.com/JaneJeon/blink/releases/tag/v1.4.0, https://github.com/JaneJeon/blink/pkgs/container/blink/123663099?tag=v1.4.0

The instructions for the client secret and auth method have been added to the documentation: https://docs.blink.rest/Installation/2.1%20Prerequisites#oidc-protocol

Please follow the instructions with the new release, and let me know if it doesn't work (in that case, I will re-open the issue).

Thanks.