Code-for-token request isn't authenticated #25
Description
Hi there 👋
First of all, thanks for this!
I'm trying to use this library locally against a mock OIDC Server (https://github.com/appvia/mock-oidc-user-server), that uses the node-oidc-provider under the hood.
What I'm seeing is that the fetch_tokens/3 function doesn't do any authentication, hence the code-for-token request fails with a 401. Full error details below:
** (MatchError) no match of right hand side value: {:error, :fetch_tokens, %HTTPoison.Response{body: "{\"error\":\"invalid_client\",\"error_description\":\"client authentication failed\"}", headers: [{"Pragma", "no-cache"}, {"Cache-Control", "no-cache, no-store"}, {"Content-Type", "application/json; charset=utf-8"}, {"Content-Length", "77"}, {"Date", "Sat, 24 Aug 2019 11:46:30 GMT"}, {"Connection", "keep-alive"}], request: %HTTPoison.Request{body: {:form, [client_id: "my-client", client_secret: "my-secret", code: "gU9qoumrVmlaFzOe3JI6ri6KYXG", grant_type: "authorization_code", redirect_uri: "http://localhost:4003/session"]}, headers: [{"Content-Type", "application/x-www-form-urlencoded"}], method: :post, options: [], params: %{}, url: "http://oidc:9090/token"}, request_url: "http://oidc:9090/token", status_code: 401}}
If I change the headers set by the fetch_tokens/3 function like this:
+ basic_auth = Base.encode64("my-client:my-secret")
headers = [
{"Content-Type", "application/x-www-form-urlencoded"},
+ {"Authorization", "Basic #{basic_auth}"},
]
The fetch_tokens/3 function works as expected.
Since the OIDC specifies that this request should be authenticated, using HTTP Basic or JWT-based authentication, isn't this missing from this library?
I'll open a PR to fix this if it's needed, I'd just like to confirm this with you first.
Thanks in advance 🙌