feat(oidc-auth): support empty OIDC client secret

tarasglek · tarasglek · commit f9a59298f543 · 2025-04-17T09:34:34.000+03:00
diff --git a/.changeset/every-pugs-wave.md b/.changeset/every-pugs-wave.md
@@ -0,0 +1,5 @@
+---
+'@hono/oidc-auth': major
+---
+
+Support empty OIDC_CLIENT_SECRET
diff --git a/packages/oidc-auth/src/index.ts b/packages/oidc-auth/src/index.ts
@@ -113,6 +113,7 @@ const setOidcAuthEnv = (c: Context, config?: Partial<OidcAuthEnv>) => {
   if (oidcAuthEnv.OIDC_CLIENT_SECRET === undefined) {
     throw new HTTPException(500, { message: 'OIDC client secret is not provided' })
   }
+  // Allow empty string as valid client secret
   oidcAuthEnv.OIDC_REDIRECT_URI = oidcAuthEnv.OIDC_REDIRECT_URI ?? defaultOidcRedirectUri
   if (!oidcAuthEnv.OIDC_REDIRECT_URI.startsWith('/')) {
     try {
@@ -167,11 +168,18 @@ export const getClient = (c: Context): oauth2.Client => {
   const env = getOidcAuthEnv(c)
   let client = c.get('oidcClient')
   if (client === undefined) {
-    client = {
-      client_id: env.OIDC_CLIENT_ID,
-      client_secret: env.OIDC_CLIENT_SECRET,
-      token_endpoint_auth_method: 'client_secret_basic',
-    }
+    client =
+      env.OIDC_CLIENT_SECRET === ''
+        ? {
+            // No client secret provided, use 'none' auth method
+            client_id: env.OIDC_CLIENT_ID,
+            token_endpoint_auth_method: 'none',
+          }
+        : {
+            client_id: env.OIDC_CLIENT_ID,
+            client_secret: env.OIDC_CLIENT_SECRET,
+            token_endpoint_auth_method: 'client_secret_basic',
+          }
     c.set('oidcClient', client)
   }
   return client

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@hono/oidc-auth': major
 +---
++
 +Support empty OIDC_CLIENT_SECRET