[Bug]: Client Assertion token request includes basic auth header

[Kunde21]

Preflight Checklist

• I could not find a solution in the documentation, the existing issues or discussions
• I have joined the ZITADEL chat

Version

v2.11.0

Describe the problem caused by this bug

Using a relying party client with JWTProfile configured as the client authentication, code exchange requests include both client_assertion=<jwt payload> form value and one of Authorization: Basic <id:secret> header or client_id=<id>&client_secret=<secret> form values.

To reproduce

Create a relying party with the WithJWTProfile option, attempt a token exchange, inspect the request headers/body.

Screenshots

No response

Expected behavior

Support the JWT Profile oidc client authentication without overlapping with additional client authentication methods.

Additional Context

By the look of things, this is a result of the golang.org/x/oauth2 library forcing client basic or client post authentication without allowing for client assertion approaches.

[muhlemmer]

It seems indeed golang.org/x/oauth2 does that and we don't have much control over it. I also went through the code to see if there is a way around, but found none. You should create an issue upstream.

[Kunde21]

golang/oauth2#433

[hifabienne]

I will close this issue for now, as we will not implement something