Implement helper method to retrieve token_endpoint_auth_methods for OAuth Authorization Server Metadata

ThisIsMissEm · ThisIsMissEm · commit 874de3686d5e · 2025-04-16T23:22:58.000+02:00
diff --git a/lib/doorkeeper/config.rb b/lib/doorkeeper/config.rb
@@ -583,6 +583,16 @@ def client_credentials_methods
       @client_credentials_methods ||= %i[from_basic from_params]
     end
 
+    def token_endpoint_auth_methods
+      return @token_endpoint_auth_methods if instance_variable_defined?(:@token_endpoint_auth_methods)
+
+      methods = ['none']
+      methods << 'client_secret_basic' if client_credentials_methods.include? :from_basic
+      methods << 'client_secret_post' if client_credentials_methods.include? :from_params
+
+      @token_endpoint_auth_methods = methods
+    end
+
     def access_token_methods
       @access_token_methods ||= %i[
         from_bearer_authorization
diff --git a/spec/lib/config_spec.rb b/spec/lib/config_spec.rb
@@ -287,11 +287,56 @@
     it "can change the value" do
       Doorkeeper.configure do
         orm DOORKEEPER_ORM
-        client_credentials :from_digest, :from_params
+        client_credentials :from_basic
       end
 
       expect(config.client_credentials_methods)
-        .to eq(%i[from_digest from_params])
+        .to eq(%i[from_basic])
+    end
+  end
+
+  # Returns token endpoint auth methods based on client_credentials per
+  # https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method
+  describe 'token_endpoint_auth_methods' do
+    it 'returns methods according to defaults' do
+      expect(config.client_credentials_methods).to eq(%i[from_basic from_params])
+      expect(config.token_endpoint_auth_methods).to contain_exactly('none', 'client_secret_post', 'client_secret_basic')
+    end
+
+    it "returns none even if no methods are configured" do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        client_credentials
+      end
+
+      expect(config.client_credentials_methods)
+        .to eq([])
+
+      expect(config.token_endpoint_auth_methods).to contain_exactly('none')
+    end
+
+    it 'returns client_secret_post if configured' do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        client_credentials :from_params
+      end
+
+      expect(config.client_credentials_methods)
+        .to eq(%i[from_params])
+
+      expect(config.token_endpoint_auth_methods).to contain_exactly('none', 'client_secret_post')
+    end
+
+    it 'returns client_secret_basic if configured' do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        client_credentials :from_basic
+      end
+
+      expect(config.client_credentials_methods)
+        .to eq(%i[from_basic])
+
+      expect(config.token_endpoint_auth_methods).to contain_exactly('none', 'client_secret_basic')
     end
   end
 
