Enhancement: Add client_id to token request body to support various OIDC server implementations

[KOH6]

Description

OpenID Connect Core 1.0 refers to OAuth 2.0 (RFC6749) for client authentication. According to RFC6749 Section 2.3.1, authorization servers MAY support including client credentials in the request body. Some OIDC providers require client_id in the request body regardless of the authentication method used (basic or jwks). Adding client_id to the token request body would improve compatibility with such providers while maintaining the current authentication methods.

Related Specifications

• OpenID Connect Core 1.0 Section 3.1.3.1 refers to OAuth 2.0 Section 4.1.3 for client authentication at the token endpoint.
• OAuth 2.0 (RFC6749) Section 2.3.1 specifies methods for including client credentials in the request body.

Current Behavior

Currently, the gem only sends client credentials via the selected authentication method (basic or jwks):

def access_token
  # ...
  token_request_params = {
    scope: (options.scope if options.send_scope_to_token_endpoint),
    client_auth_method: options.client_auth_method
  }
  # client_id is not included in request body
end

Expected Behavior

Always include client_id in the token request body while maintaining the current authentication methods:

def access_token
  # ...
  token_request_params = {
    scope: (options.scope if options.send_scope_to_token_endpoint),
    client_auth_method: options.client_auth_method,
    client_id: client_options.identifier  # Always include client_id in request body
  }
  # ...
end

References

1. OpenID Connect Core 1.0 Section 3.1.3.1

The Client MUST authenticate with the Token Endpoint using the authentication method as described in Section 4.1.3 of OAuth 2.0 [RFC6749].

2. RFC6749 Section 2.3.1:

"Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters:

• client_id REQUIRED. The client identifier issued to the client during the registration process"

RFC6749 Section 2.3.1 Full Text

Additional Considerations

• This change maintains compatibility with standard OIDC providers while adding support for providers that require client_id in the request body
• The current authentication methods ('basic' and 'jwks') remain unchanged
• No additional configuration options needed
• Should add tests to verify client_id is properly included in token requests

[jaark]

EntraID seems to require this - I'm not sure whether this is a new requirement or not, but I can't seem to get the microsoft specific strategies to work either.
Also, as per the spec, client_secret is needed too, so

def access_token
  # ...
  token_request_params = {
    scope: (options.scope if options.send_scope_to_token_endpoint),
    client_auth_method: options.client_auth_method,
    client_id: client_options.identifier,  # Always include client_id in request body
    client_secret: client_options.secret
  }
  # ...
end

[dominikklein]

#199

[gamesover]

#199

@dominikklein
Thanks for your fix and it’s very important.
Without the client_id, authentication with AWS Cognito public clients fails.
Your PR should be approved and merged into master.
I’m currently using your branch to authenticate with AWS Cognito.