From 2d7f9e34a69c369306db4a077e67812566d567bf Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Wed, 24 Feb 2021 11:43:49 +0100
Subject: [PATCH] OIDC: Return error if multiple client auth used (#2474)

---
 .../lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm            | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
index c0d68515c..3685935a2 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
@@ -1374,6 +1374,12 @@ sub getEndPointAuthenticationCredentials {
               split( /:/, decode_base64($1) );
         };
         $self->logger->error("Bad authentication header: $@") if ($@);
+
+        # Using multiple methods is an error
+        if ($req->param('client_id')) {
+            $self->logger->error("Multiple client authentication methods used");
+            ( $client_id, $client_secret ) = (undef, undef);
+        }
     }
     elsif ( $req->param('client_id') and $req->param('client_secret') ) {
         $self->logger->debug("Method client_secret_post used");