Set auth style when no client secret in use (#1289)

Co-authored-by: Hidetake Iwata <int128@gmail.com>
2026-02-14 16:39:51 +00:00 · 2025-11-23 06:43:21 +00:00
parent 1ead2a405e
commit 5d091e486a
1 changed files with 7 additions and 1 deletions
--- a/pkg/oidc/client/factory.go
+++ b/pkg/oidc/client/factory.go
@@ -62,11 +62,17 @@ func (f *Factory) New(ctx context.Context, prov oidc.Provider, tlsClientConfig t
 	if err != nil {
 		return nil, fmt.Errorf("could not determine supported PKCE methods: %w", err)
 	}
+
+	endpoint := provider.Endpoint()
+	if prov.ClientSecret == "" {
+		endpoint.AuthStyle = oauth2.AuthStyleInParams
+	}
+
 	return &client{
 		httpClient: httpClient,
 		provider:   provider,
 		oauth2Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
+			Endpoint:     endpoint,
 			ClientID:     prov.ClientID,
 			ClientSecret: prov.ClientSecret,
 			RedirectURL:  prov.RedirectURL,