Follow .well-known/openid-configuration -> token_endpoint_auth_methods_supported

[TheOneRing]

At the moment we send the client id and secret as a basic auth header as well as a post parameter.

We should read the token_endpoint_auth_methods_supported field of the well-known endpoint and only use one.
"client_secret_basic",
"client_secret_post",

Else "Active Directory Federation Service" will respond with Error when getting the accessToken "Fehler vom Server zurückgegeben: <em>MSIS9631: Received invalid OAuth request. Multiple client authentication methods were attempted.</em>"

[butonic]

I'd prefer checking if client_secret_basic is supported and fall back to client_secret_post if not. Aside from client_secret_jwt ... dunno when that is used.

looking at what a bank has to say https://directory.openbanking.org.uk/obieservicedesk/s/article/Can-you-explain-the-different-Token-endpoint-authentication-methods-And-they-preferred-secure-method I'd go with client_secret_basic first.

[dj4oC]

Test result:
Client shows "Fertiggestellt" and "Failed to look up instances: Die Benutzerinformationen konnten nicht abgerufen werden."
If you click on "Abgeschlossen" client is working fine.

However: if you close the client and reopen it, you need to login again: "Der Benutzer LGTE, @.apps.-dev01..**.de ist ausgeloggt. Bitte über den Browser authentifizieren.

Logs are available, please ping me