Skip to content

use TokenClientCredentialStyle for PAR requests#351

Merged
damianh merged 1 commit intomainfrom
jmdc/par-client-credential-style
Apr 16, 2026
Merged

use TokenClientCredentialStyle for PAR requests#351
damianh merged 1 commit intomainfrom
jmdc/par-client-credential-style

Conversation

@josephdecock
Copy link
Copy Markdown
Member

@josephdecock josephdecock commented Apr 10, 2026

PushAuthorizationRequestAsync was not using the configured TokenClientCredentialStyle, causing PAR requests to potentially use a different credential style than token and refresh requests.

Fixes #349

@josephdecock
use TokenClientCredentialStyle for PAR requests
a16e5de 
PushAuthorizationRequestAsync was not using the configured
TokenClientCredentialStyle, causing PAR requests to potentially use a
different credential style than token and refresh requests.

Fixes #349
Copilot AI review requested due to automatic review settings April 10, 2026 19:39
@josephdecock josephdecock self-assigned this Apr 10, 2026
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a mismatch in client authentication style used for Pushed Authorization Requests (PAR) vs token/refresh requests in Duende.IdentityModel.OidcClient, aligning PAR with the configured OidcClientOptions.TokenClientCredentialStyle (per issue #349 / RFC 9126 expectations).

Changes:

  • Apply OidcClientOptions.TokenClientCredentialStyle to PAR requests in AuthorizeClient.
  • Expand tests to validate PAR client authentication for both PostBody (default) and AuthorizationHeader styles.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
identity-model-oidc-client/src/IdentityModel.OidcClient/AuthorizeClient.cs Ensures PAR uses the same configured client credential style as token/refresh requests.
identity-model-oidc-client/test/IdentityModel.OidcClient.Tests/CodeFlowResponseTests.cs Adds/updates tests to assert PAR credentials are sent via body vs Basic auth header depending on configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@josephdecock josephdecock requested a review from bhazen April 10, 2026 20:55
@damianh damianh added the area/foss/im-oidc-client Issues related to Identity Model OIDC Client label Apr 16, 2026
@damianh damianh merged commit 635f140 into main Apr 16, 2026
6 checks passed
@damianh damianh deleted the jmdc/par-client-credential-style branch April 16, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bhazen bhazen bhazen approved these changes

Assignees

@josephdecock josephdecock

Labels

area/foss/im-oidc-client Issues related to Identity Model OIDC Client

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Wrong ClientCredentialStyle used in PushedAuthorization

4 participants

@josephdecock @bhazen @damianh