googleapis · danielbankhead · Jun 1, 2024 · May 18, 2024 · May 18, 2024 · May 18, 2024
@@ -68,6 +68,12 @@
   JWK = 'JWK',
 }
 
+export enum ClientAuthentication {
+  ClientSecretPost,
+  ClientSecretBasic,
+  None,
+}
+
 export interface GetTokenOptions {
   code: string;
   codeVerifier?: string;
@@ -475,6 +481,11 @@
    * The allowed OAuth2 token issuers.
    */
   issuers?: string[];
+  /**
+   * The client authentication type. Support values are basic, post, and none.
+   * https://docs.authlib.org/en/latest/client/oauth2.html#client-authentication
+   */
+  client_authentication?: ClientAuthentication;
 }
 
 // Re-exporting here for backwards compatibility
@@ -491,6 +502,7 @@
   protected refreshTokenPromises = new Map<string, Promise<GetTokenResponse>>();
   readonly endpoints: Readonly<OAuth2ClientEndpoints>;
   readonly issuers: string[];
+  private client_authentication: ClientAuthentication;
 
   // TODO: refactor tests to make this private
   _clientId?: string;
@@ -542,6 +554,8 @@
       oauth2IapPublicKeyUrl: 'https://www.gstatic.com/iap/verify/public_key',
       ...opts.endpoints,
     };
+    this.client_authentication =
+      opts.client_authentication || ClientAuthentication.ClientSecretPost;
 
     this.issuers = opts.issuers || [
       'accounts.google.com',
@@ -660,20 +674,28 @@
     options: GetTokenOptions
   ): Promise<GetTokenResponse> {
     const url = this.endpoints.oauth2TokenUrl.toString();
-    const values = {
+    const headers: any = {'Content-Type': 'application/x-www-form-urlencoded'};
+    if (this.client_authentication === ClientAuthentication.ClientSecretBasic) {
+      const basic_auth =
+        'basic ' + btoa(`${this._clientId}:${this._clientSecret}`);
+      headers.Authorization = basic_auth;
+    }
+    const values: any = {
       code: options.code,
       client_id: options.client_id || this._clientId,
-      client_secret: this._clientSecret,
       redirect_uri: options.redirect_uri || this.redirectUri,
       grant_type: 'authorization_code',
       code_verifier: options.codeVerifier,
     };
+    if (this.client_authentication === ClientAuthentication.ClientSecretPost) {
+      values.client_secret = this._clientSecret;
+    }
     const res = await this.transporter.request<CredentialRequest>({
       ...OAuth2Client.RETRY_CONFIG,
       method: 'POST',
       url,
       data: querystring.stringify(values),
-      headers: {'Content-Type': 'application/x-www-form-urlencoded'},
+      headers: headers,
     });
     const tokens = res.data as Credentials;
     if (res.data && res.data.expires_in) {

@@ -44,6 +44,7 @@ export {
   RefreshOptions,
   TokenInfo,
   VerifyIdTokenOptions,
+  ClientAuthentication,
 } from './auth/oauth2client';
 export {LoginTicket, TokenPayload} from './auth/loginticket';
 export {

@@ -23,7 +23,12 @@
 import * as qs from 'querystring';
 import * as sinon from 'sinon';
 
-import {CodeChallengeMethod, Credentials, OAuth2Client} from '../src';
+import {
+  CodeChallengeMethod,
+  Credentials,
+  OAuth2Client,
+  ClientAuthentication,
+} from '../src';
 import {LoginTicket} from '../src/auth/loginticket';
 
 nock.disableNetConnect();
@@ -1421,6 +1426,23 @@
       assert.strictEqual(params.client_id, 'overridden');
     });
 
+    it('getToken should use basic header auth if provided in options', async () => {
+      const opts = {
+        clientId: CLIENT_ID,
+        clientSecret: CLIENT_SECRET,
+        redirectUri: REDIRECT_URI,
+        endpoints: {
+          oauth2TokenUrl: 'mytokenurl',
+        },
+        client_authentication: ClientAuthentication.ClientSecretBasic,
+      };
+      const oauth2client = new OAuth2Client(opts);
+      const _ = oauth2client.getToken({
+        code: 'code here',
+        client_id: CLIENT_ID,
+      });
+    });
+
     it('should return expiry_date', done => {
       const now = new Date().getTime();
       const scope = nock(baseUrl, {