pow-auth · danschultzer · Nov 13, 2019 · Nov 13, 2019
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * Removed unused `:resource` param in `Assent.Strategy.AzureAD`
 * Added "email profile" to scope in `Assent.Strategy.AzureAD`
 * Use `response_mode=form_post` for `Assent.Strategy.AzureAD`
+* Updated `Assent.Strategy.OAuth2` to handle access token request correctly when `:auth_method` is `nil` per RFC specs
 
 ## v0.1.4 (2019-11-09)
 

diff --git a/lib/assent/strategies/oauth2.ex b/lib/assent/strategies/oauth2.ex
@@ -18,8 +18,9 @@ defmodule Assent.Strategy.OAuth2 do
 
     - `:client_id` - The OAuth2 client id, required
     - `:site` - The domain of the OAuth2 server, required
-    - `:auth_method` - The authentication strategy used, optional, defaults to
-      `:client_secret_basic`. The value may be one of the following:
+    - `:auth_method` - The authentication strategy used, optional. If not set,
+      no authentication will be used during the access token request. The value
+      may be one of the following:
 
       - `:client_secret_basic` - Authenticate with basic authorization header
       - `:client_secret_post` - Authenticate with post params
@@ -139,6 +140,15 @@ defmodule Assent.Strategy.OAuth2 do
     do: {:error, %CallbackCSRFError{}}
   defp do_check_state(_state, _params), do: :ok
 
+  defp authentication_params(nil, config) do
+    with {:ok, client_id}     <- Config.fetch(config, :client_id) do
+
+      headers = []
+      body    = [client_id: client_id]
+
+      {:ok, headers, body}
+    end
+  end
   defp authentication_params(:client_secret_basic, config) do
     with {:ok, client_id}     <- Config.fetch(config, :client_id),
          {:ok, client_secret} <- Config.fetch(config, :client_secret) do
@@ -207,7 +217,7 @@ defmodule Assent.Strategy.OAuth2 do
   end
 
   defp get_access_token(config, %{"code" => code}) do
-    auth_method  = Config.get(config, :auth_method, :client_secret_basic)
+    auth_method  = Config.get(config, :auth_method, nil)
     token_url    = Config.get(config, :token_url, "/oauth/token")
 
     with {:ok, site}                    <- Config.fetch(config, :site),

diff --git a/test/assent/strategies/oauth2_test.exs b/test/assent/strategies/oauth2_test.exs
@@ -70,7 +70,23 @@ defmodule Assent.Strategy.OAuth2Test do
 
     @user_api_params %{name: "Dan Schultzer", email: "foo@example.com", uid: "1"}
 
+    test "with no auth method", %{config: config, callback_params: params, bypass: bypass} do
+      expect_oauth2_access_token_request(bypass, [], fn _conn, params ->
+        assert params["grant_type"] == "authorization_code"
+        assert params["code"] == "test"
+        assert params["redirect_uri"] == "http://localhost:4000/auth/callback"
+        assert params["client_id"] == @client_id
+        refute params["client_secret"]
+      end)
+
+      expect_oauth2_user_request(bypass, @user_api_params)
+
+      assert {:ok, _any} = OAuth2.callback(config, params)
+    end
+
     test "with `:client_secret_basic` auth method", %{config: config, callback_params: params, bypass: bypass} do
+      config = Keyword.put(config, :auth_method, :client_secret_basic)
+
       expect_oauth2_access_token_request(bypass, [], fn conn, params ->
         assert [{"authorization", "Basic " <> token} | _rest] = conn.req_headers
         assert Base.url_decode64(token, padding: false) == {:ok, "#{@client_id}:#{@client_secret}"}