diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index d5d1a82772..b3aeae5054 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -38,6 +38,9 @@ class AuthOauthProvider(models.Model):
client_secret = fields.Char(
help="Used in OpenID Connect authorization code flow for confidential clients.",
)
+ client_secret_post = fields.Boolean(
+ help="Use Client Secret in authorization post requests"
+ )
code_verifier = fields.Char(
default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE."
)
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 1684480fa4..531526ce96 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -27,15 +27,21 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
auth = None
if oauth_provider.client_secret:
auth = (oauth_provider.client_id, oauth_provider.client_secret)
+
+ post_data = dict(
+ client_id=oauth_provider.client_id,
+ grant_type="authorization_code",
+ code=code,
+ code_verifier=oauth_provider.code_verifier, # PKCE
+ redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
+ )
+
+ if oauth_provider.client_secret_post:
+ post_data["client_secret"] = oauth_provider.client_secret
+
response = requests.post(
oauth_provider.token_endpoint,
- data=dict(
- client_id=oauth_provider.client_id,
- grant_type="authorization_code",
- code=code,
- code_verifier=oauth_provider.code_verifier, # PKCE
- redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
- ),
+ data=post_data,
auth=auth,
timeout=10,
)
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
index c890fb55a8..c9d65a36e5 100644
--- a/auth_oidc/views/auth_oauth_provider.xml
+++ b/auth_oidc/views/auth_oauth_provider.xml
@@ -14,6 +14,7 @@
+