Merge pull request #279 from azmeuk/capile

Enabled client_secret_basic authentication on refreshToken()
jumbojett · Nov 21, 2021 · 317c4ac · 317c4ac
2 parents 712bab2 + dd30a3a
commit 317c4ac
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Added
 
+* Enabled `client_secret_basic` authentication on `refreshToken()` #215
 * Basic auth support for requestResourceOwnerToken #271
 
 ## [0.9.3]

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -812,6 +812,9 @@ protected function requestTokens($code) {
      */
     public function refreshToken($refresh_token) {
         $token_endpoint = $this->getProviderConfigValue('token_endpoint');
+        $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
+
+        $headers = [];
 
         $grant_type = 'refresh_token';
 
@@ -823,10 +826,17 @@ public function refreshToken($refresh_token) {
             'scope'         => implode(' ', $this->scopes),
         );
 
+        # Consider Basic authentication if provider config is set this way
+        if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported, true)) {
+            $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
+            unset($token_params['client_secret']);
+            unset($token_params['client_id']);
+        }
+
         // Convert token params to string format
         $token_params = http_build_query($token_params, null, '&', $this->enc_type);
 
-        $json = json_decode($this->fetchURL($token_endpoint, $token_params));
+        $json = json_decode($this->fetchURL($token_endpoint, $token_params, $headers));
 
         if (isset($json->access_token)) {
             $this->accessToken = $json->access_token;