OIDC Auth requires `client-secret` parameter

[vilmosnagy]

Currently, if I use the OIDC auth mode I must insert a client-secret attribute to the userConfig:

this.kc.loadFromClusterAndUser(
{
    caData: '<CA-data>',
    name: 'k8s-cluster',
    server: 'https://127.0.0.1:6443',
    skipTLSVerify: false,
},
{
    authProvider: {
        name: 'oidc',
        config: {
            'client-id': 'kubernetes-vilmos-test',
            'id-token': '<id-token>',
            'idp-issuer-url': 'https://<keycloak-server-url>/auth/realms/<realm-id>',
            'refresh-token': '<refresh-token>',
            'client-secret': ' ', // I MUST include this with some random value even if the keycloak server is set up not to require a `client-secret`. 
        },
    },
    name: 'user-k8s',
});

As far as I understand:

• the cliend-secret is an optional parameter in the OIDC specifications (if the oidc server doesn't want to authenticate the clients, it can be omitted)
• there's a check for it in the oidc_auth file

[brendandburns]

I'm definitely not an OIDC expert, if you can point to the part in the spec where it's defined as optional, we're happy to take a PR to remove the check that requires it.

[vilmosnagy]

As far as I understand the OpenID protocol is a simple identity layer on top of the OAuth 2.0 protocol. (via).

The OAuth 2.0 RCF says the following about the client_secret:

Alternatively, the authorization server MAY support including the
client credentials in the request-body using the following
parameters:
(...)
client_secret
REQUIRED. The client secret. The client MAY omit the
parameter if the client secret is an empty string.

Based on that definition, the client_secret can be an empty string.

Even if you demand that the framework's client (my code) should provide the empty string as a client_secret, the framework fails to connect to the oidc server, because the check in the mentioned file (!user.authProvider.config['client-secret'] which in this case will be !'') is false.

I'm happy to create a PR to remove that single line (or to modify it to 'client-secret' in user.authProvider.config).

[brendandburns]

Cool, we'd love a PR to add this support, basically to set client-secret to empty string if it's not present in the config.

Thanks!