✨ [#80] Support configuring basic auth for token endpoint

Certain OIDC providers require the client credentials to be sent in the Basic Auth request header rather than in the request body. This is now configurable in the admin.
maykinmedia · Feb 6, 2024 · fb09fff · fb09fff
1 parent 7a24ff9
commit fb09fff
Show file tree

Hide file tree

Showing 6 changed files with 395 additions and 2 deletions.
diff --git a/mozilla_django_oidc_db/admin.py b/mozilla_django_oidc_db/admin.py
@@ -35,6 +35,7 @@ class OpenIDConnectConfigAdmin(SingletonModelAdmin):
                     "oidc_op_jwks_endpoint",
                     "oidc_op_authorization_endpoint",
                     "oidc_op_token_endpoint",
+                    "oidc_token_use_basic_auth",
                     "oidc_op_user_endpoint",
                 )
             },

diff --git a/mozilla_django_oidc_db/migrations/0015_openidconnectconfig_oidc_token_use_basic_auth.py b/mozilla_django_oidc_db/migrations/0015_openidconnectconfig_oidc_token_use_basic_auth.py
@@ -0,0 +1,22 @@
+# Generated by Django 3.2.23 on 2024-02-05 16:51
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("mozilla_django_oidc_db", "0014_alter_openidconnectconfig_groups_claim"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="openidconnectconfig",
+            name="oidc_token_use_basic_auth",
+            field=models.BooleanField(
+                default=False,
+                help_text="If enabled, the client ID and secret are sent in the HTTP Basic auth header when obtaining the access token. Otherwise, they are sent in the request body.",
+                verbose_name="Use Basic auth for token endpoint",
+            ),
+        ),
+    ]
diff --git a/mozilla_django_oidc_db/models.py b/mozilla_django_oidc_db/models.py
@@ -161,6 +161,15 @@ class OpenIDConnectConfigBase(SingletonModel):
         max_length=1000,
         help_text=_("URL of your OpenID Connect provider token endpoint"),
     )
+    oidc_token_use_basic_auth = models.BooleanField(
+        _("Use Basic auth for token endpoint"),
+        default=False,
+        help_text=_(
+            "If enabled, the client ID and secret are sent in the HTTP Basic auth "
+            "header when obtaining the access token. Otherwise, they are sent in the "
+            "request body.",
+        ),
+    )
     oidc_op_user_endpoint = models.URLField(
         _("User endpoint"),
         max_length=1000,