Enabled client_secret_basic authentication on requestClientCredentialsToken()

CHANGELOG.md

@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403
 - Check subject when verifying JWT #406
 - Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed #373
+* Enabled `client_secret_basic` authentication on `requestClientCredentialsToken()` #347
 
 ## [1.0.0] - 2023-12-13
 

src/OpenIDConnectClient.php

@@ -803,12 +803,12 @@ public function requestClientCredentialsToken() {
         $grant_type = 'client_credentials';
 
         $post_data = [
-            'grant_type'    => $grant_type,
-            'client_id'     => $this->clientID,
-            'client_secret' => $this->clientSecret,
-            'scope'         => implode(' ', $this->scopes)
+            'grant_type' => $grant_type,
+            'scope'      => implode(' ', $this->scopes)
         ];
 
+        $this->setOptionalBasicAuthentication($headers, $post_data);
+
         // Convert token params to string format
         $post_params = http_build_query($post_data, '', '&', $this->encType);
 
@@ -839,13 +839,7 @@ public function requestResourceOwnerToken(bool $bClientAuth = false) {
 
         //For client authentication include the client values
         if($bClientAuth) {
-            $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
-            if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
-                $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
-            } else {
-                $post_data['client_id']     = $this->clientID;
-                $post_data['client_secret'] = $this->clientSecret;
-            }
+            $this->setOptionalBasicAuthentication($headers, $post_data);
         }
 
         // Convert token params to string format
@@ -854,6 +848,23 @@ public function requestResourceOwnerToken(bool $bClientAuth = false) {
         return json_decode($this->fetchURL($token_endpoint, $post_params, $headers), false);
     }
 
+    /**
+     * Use client basic authentication if supported.
+     *
+     * @param array $headers
+     * @param array $post_data
+     * @throws OpenIDConnectClientException
+     */
+    protected function setOptionalBasicAuthentication(&$headers, &$post_data) {
+        $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
+
+        if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
+            $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
+        } else {
+            $post_data['client_id']     = $this->clientID;
+            $post_data['client_secret'] = $this->clientSecret;
+        }
+    }
 
     /**
      * Requests ID and Access tokens