fix: handle empty client_secret with basic and post client auth (#610)

closes #609
panva · Jul 6, 2023 · 402c711 · 402c711
1 parent 7747fd9
commit 402c711
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/lib/helpers/client.js b/lib/helpers/client.js
@@ -81,7 +81,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
     case 'none':
       return { form: { client_id: this.client_id } };
     case 'client_secret_post':
-      if (!this.client_secret) {
+      if (typeof this.client_secret !== 'string') {
         throw new TypeError(
           'client_secret_post client authentication method requires a client_secret',
         );
@@ -120,7 +120,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
       // > Appendix B, and the encoded value is used as the username; the client
       // > password is encoded using the same algorithm and used as the
       // > password.
-      if (!this.client_secret) {
+      if (typeof this.client_secret !== 'string') {
         throw new TypeError(
           'client_secret_basic client authentication method requires a client_secret',
         );

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -2253,6 +2253,18 @@ describe('Client', () => {
           );
         });
       });
+
+      it('allows client_secret to be empty string', async function () {
+        const issuer = new Issuer();
+        const client = new issuer.Client({
+          client_id: 'an:identifier',
+          client_secret: '',
+          token_endpoint_auth_method: 'client_secret_post',
+        });
+        expect(await clientInternal.authFor.call(client, 'token')).to.eql({
+          form: { client_id: 'an:identifier', client_secret: '' },
+        });
+      });
     });
 
     describe('when client_secret_basic', function () {
@@ -2288,6 +2300,14 @@ describe('Client', () => {
           );
         });
       });
+
+      it('allows client_secret to be empty string', async function () {
+        const issuer = new Issuer();
+        const client = new issuer.Client({ client_id: 'an:identifier', client_secret: '' });
+        expect(await clientInternal.authFor.call(client, 'token')).to.eql({
+          headers: { Authorization: 'Basic YW4lM0FpZGVudGlmaWVyOg==' },
+        });
+      });
     });
 
     describe('when client_secret_jwt', function () {