OIDC Dev Service invalid_request for when client secret is set

[Postremus]

Describe the bug

When I specifiy a client credentials secret, the oidc dev service returns an "invalid_request" when requesting an token.

This is my configuration, which results in the error.

quarkus.keycloak.devservices.enabled=false
quarkus.oidc.devservices.enabled=true

quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc-client.scopes=openid
quarkus.oidc-client.grant.type=password
quarkus.oidc-client.grant-options.password.username=user
quarkus.oidc-client.grant-options.password.password=pwd

Removing the line quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret} fixes that.

quarkus/extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientImpl.java

Lines 190 to 192 in 767e90a

	if (clientSecretBasicAuthScheme != null) {
	request.putHeader(AUTHORIZATION_HEADER, clientSecretBasicAuthScheme);
	} else if (jwtBearerAuthentication) {

The oidc client tries to use basic auth to send the client id and secret, but the dev service does not understand this.
Removing the secret forces the client to use the client_id form parameter. This works then, since the dev service does not use the client_secret anyway.

Could you please either fix this somehow, or improve the documentation about oidc dev services limitions, and how to configure the oidc client for it?

Expected behavior

@Inject
    Tokens tokens;


    @Test
    void testHelloEndpoint() {
        MatcherAssert.assertThat(tokens.getAccessToken(), Matchers.notNullValue());
    }

Should pass

Actual behavior

Error message from oidc dev service:
{
"error": "invalid_request"
}

How to Reproduce?

Reproducer:

oidc-dev-client.zip

1. Execute test GreetingResourceTest
2. Failure
3. Remove the configuration for the client secret from application.properties
4. Test Works

Output of uname -a or ver

MINGW64_NT-10.0-26100 NANBCHL9NG3 3.3.6-341.x86_64 2022-09-05 20:28 UTC x86_64 Msys

Output of java -version

openjdk 21.0.5 2024-10-15 LTS OpenJDK Runtime Environment Temurin-21.0.5+11 (build 21.0.5+11-LTS) OpenJDK 64-Bit Server VM Temurin-21.0.5+11 (build 21.0.5+11-LTS, mixed mode, sharing)

Quarkus version or git rev

3.21.1

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.8 (4c87b05d9aedce574290d1acc98575ed5eb6cd39) Maven home: C:\eclipse\tools\java\maven Java version: 21.0.5, vendor: Eclipse Adoptium, runtime: C:\eclipse\tools\java\21 Default locale: de_DE, platform encoding: UTF-8 OS name: "windows 11", version: "10.0", arch: "amd64", family: "windows"

Additional information

No response

[quarkus-bot]

/cc @geoand (devservices), @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

@Postremus We did not look deep into supporting client_credentials for a lightweight OIDC option it should probably check Authorization: Basic as well.
FYI, you can configure OIDC client to send it as form parameters, https://quarkus.io/guides/security-openid-connect-client-reference#oidc-client-authentication

See client_secret_post

[michalvavrik]

But if you want to looking into this and open PR, that will be great @Postremus

[Postremus]

Not right now, want to get another PR ready, @michalvavrik, but thank you for asking!