feat(oidc-auth): support empty OIDC client secret

.changeset/every-pugs-wave.md

@@ -0,0 +1,5 @@
+---
+'@hono/oidc-auth': minor
+---
+
+Support empty OIDC_CLIENT_SECRET

packages/oidc-auth/src/index.ts

@@ -117,7 +117,7 @@
   if (!oidcAuthEnv.OIDC_REDIRECT_URI.startsWith('/')) {
     try {
       new URL(oidcAuthEnv.OIDC_REDIRECT_URI)
     } catch (e) {
       throw new HTTPException(500, {
         message: 'The OIDC redirect URI is invalid. It must be a full URL or an absolute path',
       })
@@ -167,11 +167,18 @@
   const env = getOidcAuthEnv(c)
   let client = c.get('oidcClient')
   if (client === undefined) {
-    client = {
-      client_id: env.OIDC_CLIENT_ID,
-      client_secret: env.OIDC_CLIENT_SECRET,
-      token_endpoint_auth_method: 'client_secret_basic',
-    }
+    client =
+      env.OIDC_CLIENT_SECRET === ''
+        ? {
+            // No client secret provided, use 'none' auth method
+            client_id: env.OIDC_CLIENT_ID,
+            token_endpoint_auth_method: 'none',
+          }
+        : {
+            client_id: env.OIDC_CLIENT_ID,
+            client_secret: env.OIDC_CLIENT_SECRET,
+            token_endpoint_auth_method: 'client_secret_basic',
+          }
     c.set('oidcClient', client)
   }
   return client
@@ -191,7 +198,7 @@
     }
     try {
       auth = (await verify(session_jwt, env.OIDC_AUTH_SECRET)) as OidcAuth
     } catch (e) {
       deleteCookie(c, env.OIDC_COOKIE_NAME, { path: env.OIDC_COOKIE_PATH })
       return null
     }
@@ -463,7 +470,7 @@
         setCookie(c, 'continue', c.req.url, cookieOptions)
         return c.redirect(url)
       }
     } catch (e) {
       deleteCookie(c, env.OIDC_COOKIE_NAME, { path: env.OIDC_COOKIE_PATH })
       throw new HTTPException(500, { message: 'Invalid session' })
     }