Hi all,
I can't remember if I've said this before but it looks like Mojolicious::Plugin::OAuth2 only uses the client_secret_post client authentication method. In the OpenID Connect spec, "client_secret_basic" is actually the default method: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication I think that Keycloak checks both the Authorization header and the request body, which is probably why it's worked so easily with the Koha OpenID Connect auth. I couldn't find any documentation on this for Keycloak, but I think it's a safe assumption. Reported the issue on Github: https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2/issues/72. Really it should be a very straight forward change to implement in the plugin. David Cook Senior Software Engineer Prosentient Systems Suite 7.03 6a Glen St Milsons Point NSW 2061 Australia Office: 02 9212 0899 Online: 02 8005 0595
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
