From 874de3686d5e713f59d1cab1f604b9bd7275eea0 Mon Sep 17 00:00:00 2001
From: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Date: Wed, 16 Apr 2025 23:22:58 +0200
Subject: [PATCH] Implement helper method to retrieve
 token_endpoint_auth_methods for OAuth Authorization Server Metadata

---
 lib/doorkeeper/config.rb | 10 ++++++++
 spec/lib/config_spec.rb  | 49 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/lib/doorkeeper/config.rb b/lib/doorkeeper/config.rb
index c464f1803..1572bc48c 100644
--- a/lib/doorkeeper/config.rb
+++ b/lib/doorkeeper/config.rb
@@ -583,6 +583,16 @@ def client_credentials_methods
       @client_credentials_methods ||= %i[from_basic from_params]
     end
 
+    def token_endpoint_auth_methods
+      return @token_endpoint_auth_methods if instance_variable_defined?(:@token_endpoint_auth_methods)
+
+      methods = ['none']
+      methods << 'client_secret_basic' if client_credentials_methods.include? :from_basic
+      methods << 'client_secret_post' if client_credentials_methods.include? :from_params
+
+      @token_endpoint_auth_methods = methods
+    end
+
     def access_token_methods
       @access_token_methods ||= %i[
         from_bearer_authorization
diff --git a/spec/lib/config_spec.rb b/spec/lib/config_spec.rb
index 83970ec89..f16e22acf 100644
--- a/spec/lib/config_spec.rb
+++ b/spec/lib/config_spec.rb
@@ -287,11 +287,56 @@
     it "can change the value" do
       Doorkeeper.configure do
         orm DOORKEEPER_ORM
-        client_credentials :from_digest, :from_params
+        client_credentials :from_basic
       end
 
       expect(config.client_credentials_methods)
-        .to eq(%i[from_digest from_params])
+        .to eq(%i[from_basic])
+    end
+  end
+
+  # Returns token endpoint auth methods based on client_credentials per
+  # https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method
+  describe 'token_endpoint_auth_methods' do
+    it 'returns methods according to defaults' do
+      expect(config.client_credentials_methods).to eq(%i[from_basic from_params])
+      expect(config.token_endpoint_auth_methods).to contain_exactly('none', 'client_secret_post', 'client_secret_basic')
+    end
+
+    it "returns none even if no methods are configured" do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        client_credentials
+      end
+
+      expect(config.client_credentials_methods)
+        .to eq([])
+
+      expect(config.token_endpoint_auth_methods).to contain_exactly('none')
+    end
+
+    it 'returns client_secret_post if configured' do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        client_credentials :from_params
+      end
+
+      expect(config.client_credentials_methods)
+        .to eq(%i[from_params])
+
+      expect(config.token_endpoint_auth_methods).to contain_exactly('none', 'client_secret_post')
+    end
+
+    it 'returns client_secret_basic if configured' do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        client_credentials :from_basic
+      end
+
+      expect(config.client_credentials_methods)
+        .to eq(%i[from_basic])
+
+      expect(config.token_endpoint_auth_methods).to contain_exactly('none', 'client_secret_basic')
     end
   end