Is there a way to exclude client_id from form parameters?

[lyndoh]

Hi,

Certain providers, okta being the one I'm currently using, return an error when the client_id is included with the form parameters when performing authentication using a jwt-bearer client assertion, eg. when doing private_key_jwt. For reference, the error returned by okta is like Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.

If I modify the openid-client code to not add the client_id to the form parameters then authentication with okta works ok.

Is there any correct way to exclude the client_id from the form parameters while waiting for okta to fix the issue on their side (if they fix it at all)? If not, I'm happy to provide a PR to do this if required/desired.

Thanks,
Lyndon

[panva]

Is there a way to exclude client_id from form parameters?

There is not. The optionality of body client_id is called out in the underpinning of private_key_jwt and client_secret_jwt, it's all within spec (and OIDC certified), a standalone client_id in the body is not a "credential" and may always be present regardless of the form of client authentication used.