Any plans to allow overriding the "Basic " prefix for the Authorization header value?

[nkiesel]

I am dealing with a server implementation that expects Authorization: Foo <token> instead of the standard Authorization: Basic <token> for the client_credentials grant request (with a different and variable value for Foo based in the environment). I see that the prefix is currently hardcoded. Would you accept a PR which allows to configure an override value for the prefix?

[panva]

Would you accept a PR which allows to configure an override value for the prefix?

Unlikely, there's no reason for an OAuth 2.0 implementation to require anything but Basic for the client_secret_basic client authentication scheme. Consider using client_secret_post if the server in question supports it while requesting their implementation to get aligned with the standard.

[nkiesel]

Understood (and honestly expected). However, the server is run by a large financial organization, so will take a long time to convince them to follow the standard. So might need to fork the project in the meantime. The change itself is likely very small (of course will still need unit tests), something like:

diff --git lib/helpers/client.js lib/helpers/client.js
index 65c7fdb..d063df9 100644
--- lib/helpers/client.js
+++ lib/helpers/client.js
@@ -146,7 +146,8 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
       }
       const encoded = `${formUrlEncode(this.client_id)}:${formUrlEncode(this.client_secret)}`;
       const value = Buffer.from(encoded).toString('base64');
-      return { headers: { Authorization: `Basic ${value}` } };
+      const prefix = this.token_endpoint_header_prefix || 'Basic';
+      return { headers: { Authorization: `${prefix} ${value}` } };
     }
     default: {
       throw new TypeError(`missing, or unsupported, ${endpoint}_endpoint_auth_method`);
diff --git types/index.d.ts types/index.d.ts
index d6b5aa0..c19beab 100644
--- types/index.d.ts
+++ types/index.d.ts
@@ -53,6 +53,8 @@ export type ClientAuthMethod =
   | 'self_signed_tls_client_auth'
   | 'none';

+export type AuthorizationValuePrefix = 'Basic' | string;
+
 export interface ClientMetadata {
   // important
   client_id: string;
@@ -77,6 +79,7 @@ export interface ClientMetadata {
   revocation_endpoint_auth_method?: ClientAuthMethod;
   revocation_endpoint_auth_signing_alg?: string;
   token_endpoint_auth_signing_alg?: string;
+  token_endpoint_header_prefix?: AuthorizationValuePrefix;
   userinfo_encrypted_response_alg?: string;
   userinfo_encrypted_response_enc?: string;
   userinfo_signed_response_alg?: string;

[panva]

You can also use this to change the value of the headers that are sent out.

[nkiesel]

Interesting. But then I would have to create the whole header entry myself (i.e. cannot use the existing code with combines and encodes the credentials), correct?

[panva]

Why don't you try and see what the options hold.

[nkiesel]

Yes, I have code now which can update the authz value prefix. Thanks!