Derive token_endpoint_auth_methods_supported from Doorkeeper client_credentials config

Copilot · nbulaj · nbulaj · commit 8f9e6a9e0ff8 · 2026-03-15T10:40:51.000+03:00
Co-authored-by: nbulaj &lt;1443426+nbulaj@users.noreply.github.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 /.bundle
+/vendor/bundle
 /Gemfile.lock
 /spec/dummy/db/*.sqlite3*
 /spec/dummy/db/migrate/*doorkeeper_openid_connect*
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 - [#230] Add dynamic client registration
 - [#233] fix: handle DoubleRenderError in library instead of requiring consumer workaround
 - [#232] Implements customizable OpenID request class
+- [#236] Derive token_endpoint_auth_methods_supported from Doorkeeper's client_credentials config
 
 ## v1.8.11 (2025-02-10)
 
diff --git a/app/controllers/doorkeeper/openid_connect/discovery_controller.rb b/app/controllers/doorkeeper/openid_connect/discovery_controller.rb
@@ -47,7 +47,7 @@ def provider_response
           # TODO: look into doorkeeper-jwt_assertion for these
           #  'client_secret_jwt',
           #  'private_key_jwt'
-          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
+          token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported(doorkeeper),
 
           subject_types_supported: openid_connect.subject_types_supported,
 
@@ -79,6 +79,11 @@ def response_modes_supported(doorkeeper)
         doorkeeper.authorization_response_flows.flat_map(&:response_mode_matches).uniq
       end
 
+      def token_endpoint_auth_methods_supported(doorkeeper)
+        mapping = { from_basic: 'client_secret_basic', from_params: 'client_secret_post' }
+        doorkeeper.client_credentials_methods.filter_map { |method| mapping[method] }
+      end
+
       def code_challenge_methods_supported(doorkeeper)
         return unless doorkeeper.access_grant_model.pkce_supported?
 
diff --git a/spec/controllers/discovery_controller_spec.rb b/spec/controllers/discovery_controller_spec.rb
@@ -158,6 +158,39 @@
       end
     end
 
+    context 'when client_credentials is configured with only from_basic' do
+      before { Doorkeeper.configure { client_credentials :from_basic } }
+
+      it 'returns only client_secret_basic in token_endpoint_auth_methods_supported' do
+        get :provider
+        data = JSON.parse(response.body)
+
+        expect(data['token_endpoint_auth_methods_supported']).to eq %w[client_secret_basic]
+      end
+    end
+
+    context 'when client_credentials is configured with only from_params' do
+      before { Doorkeeper.configure { client_credentials :from_params } }
+
+      it 'returns only client_secret_post in token_endpoint_auth_methods_supported' do
+        get :provider
+        data = JSON.parse(response.body)
+
+        expect(data['token_endpoint_auth_methods_supported']).to eq %w[client_secret_post]
+      end
+    end
+
+    context 'when client_credentials is configured with both from_basic and from_params' do
+      before { Doorkeeper.configure { client_credentials :from_basic, :from_params } }
+
+      it 'returns both client_secret_basic and client_secret_post in token_endpoint_auth_methods_supported' do
+        get :provider
+        data = JSON.parse(response.body)
+
+        expect(data['token_endpoint_auth_methods_supported']).to eq %w[client_secret_basic client_secret_post]
+      end
+    end
+
     context 'when grant_flows is configed with authorization_code and implicit flow' do
       before { Doorkeeper.configure { grant_flows %w[authorization_code implicit_oidc] } }
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`/.bundle`
	`2`	`+/vendor/bundle`
`2`	`3`	`/Gemfile.lock`
`3`	`4`	`/spec/dummy/db/.sqlite3`
`4`	`5`	`/spec/dummy/db/migrate/doorkeeper_openid_connect`