omniauth · dominikklein · Feb 13, 2025 · Feb 13, 2025
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
@@ -282,6 +282,13 @@ def access_token
 
         token_request_params[:code_verifier] = params['code_verifier'] || session.delete('omniauth.pkce.verifier') if options.pkce
 
+        if configured_response_type == 'code'
+          token_request_params[:grant_type] = :authorization_code
+          token_request_params[:code] = authorization_code
+          token_request_params[:redirect_uri] = redirect_uri
+          token_request_params[:client_id] = client_options.identifier
+        end
+
         @access_token = client.access_token!(token_request_params)
         verify_id_token!(@access_token.id_token) if configured_response_type == 'code'
 

diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb
@@ -852,10 +852,12 @@ def test_dynamic_state
 
       def test_option_client_auth_method
         state = SecureRandom.hex(16)
+        code = SecureRandom.hex(16)
 
         opts = strategy.options.client_options
         opts[:host] = 'foobar.com'
         strategy.options.issuer = 'foobar.com'
+        strategy.options.client_options.redirect_uri = 'https://mysite.com/callback'
         strategy.options.client_auth_method = :not_basic
         strategy.options.client_signing_alg = :RS256
         strategy.options.client_jwk_signing_key = jwks.to_json
@@ -867,14 +869,22 @@ def test_option_client_auth_method
         }
 
         request.stubs(:path).returns('')
+        request.stubs(:params).returns('code' => code, 'state' => state)
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
         id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
         ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
 
         url = "#{ opts.scheme }://#{ opts.host }:#{ opts.port }#{ opts.token_endpoint }"
-        body = { scope: 'openid', grant_type: 'client_credentials', client_id: @identifier, client_secret: @secret }
+        body = {
+          scope: 'openid',
+          grant_type: 'authorization_code',
+          client_id: @identifier,
+          client_secret: @secret,
+          redirect_uri: 'https://mysite.com/callback',
+          code: code,
+        }
 
         stub_request(:post, url).with(body: body).to_return(
           body: json_response.to_json,