DuendeSoftware · twenzel · Nov 29, 2024
diff --git a/access-token-management/src/AccessTokenManagement/ClientCredentialsClient.cs b/access-token-management/src/AccessTokenManagement/ClientCredentialsClient.cs
@@ -14,12 +14,12 @@ public class ClientCredentialsClient
     /// The address of the token endpoint
     /// </summary>
     public string? TokenEndpoint { get; set; }
-    
+
     /// <summary>
     /// The client ID 
     /// </summary>
     public string? ClientId { get; set; }
-    
+
     /// <summary>
     /// The static (shared) client secret
     /// </summary>
@@ -30,11 +30,19 @@ public class ClientCredentialsClient
     /// </summary>
     public ClientCredentialStyle ClientCredentialStyle { get; set; }
 
+    /// <summary>
+    /// Gets or sets the basic authentication header style (classic HTTP vs OAuth 2).
+    /// </summary>
+    /// <value>
+    /// The basic authentication header style.
+    /// </value>
+    public BasicAuthenticationHeaderStyle AuthorizationHeaderStyle { get; set; } = BasicAuthenticationHeaderStyle.Rfc6749;
+
     /// <summary>
     /// The scope
     /// </summary>
     public string? Scope { get; set; }
-    
+
     /// <summary>
     /// The resource
     /// </summary>
@@ -49,7 +57,7 @@ public class ClientCredentialsClient
     /// Additional parameters to send with token requests.
     /// </summary>
     public Parameters Parameters { get; set; } = new Parameters();
-    
+
     /// <summary>
     /// The HTTP client instance to use for the back-channel operations, will override the HTTP client name if set
     /// </summary>

diff --git a/access-token-management/src/AccessTokenManagement/ClientCredentialsTokenEndpointService.cs b/access-token-management/src/AccessTokenManagement/ClientCredentialsTokenEndpointService.cs
@@ -69,17 +69,18 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
             ClientId = client.ClientId,
             ClientSecret = client.ClientSecret,
             ClientCredentialStyle = client.ClientCredentialStyle,
+            AuthorizationHeaderStyle = client.AuthorizationHeaderStyle
         };
 
         request.Parameters.AddRange(client.Parameters);
-        
+
         parameters ??= new TokenRequestParameters();
-        
+
         if (!string.IsNullOrWhiteSpace(parameters.Scope))
         {
             request.Scope = parameters.Scope;
         }
-        
+
         if (!string.IsNullOrWhiteSpace(parameters.Resource))
         {
             request.Resource.Clear();
@@ -103,14 +104,14 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
         else
         {
             var assertion = await _clientAssertionService.GetClientAssertionAsync(clientName).ConfigureAwait(false);
-                
+
             if (assertion != null)
             {
                 request.ClientAssertion = assertion;
                 request.ClientCredentialStyle = ClientCredentialStyle.PostBody;
             }
         }
-        
+
         request.Options.TryAdd(ClientCredentialsTokenManagementDefaults.TokenRequestParametersOptionsName, parameters);
 
         var key = await _dPoPKeyMaterialService.GetKeyAsync(clientName);
@@ -134,19 +135,19 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
         }
         else if (!string.IsNullOrWhiteSpace(client.HttpClientName))
         {
-            httpClient = _httpClientFactory.CreateClient(client.HttpClientName);    
+            httpClient = _httpClientFactory.CreateClient(client.HttpClientName);
         }
         else
         {
-            httpClient = _httpClientFactory.CreateClient(ClientCredentialsTokenManagementDefaults.BackChannelHttpClientName);    
+            httpClient = _httpClientFactory.CreateClient(ClientCredentialsTokenManagementDefaults.BackChannelHttpClientName);
         }
-        
+
         _logger.LogDebug("Requesting client credentials access token at endpoint: {endpoint}", request.Address);
         var response = await httpClient.RequestClientCredentialsTokenAsync(request, cancellationToken).ConfigureAwait(false);
 
-        if (response.IsError && 
-            (response.Error == OidcConstants.TokenErrors.UseDPoPNonce || response.Error == OidcConstants.TokenErrors.InvalidDPoPProof) && 
-            key != null && 
+        if (response.IsError &&
+            (response.Error == OidcConstants.TokenErrors.UseDPoPNonce || response.Error == OidcConstants.TokenErrors.InvalidDPoPProof) &&
+            key != null &&
             response.DPoPNonce != null)
         {
             _logger.LogDebug("Token request failed with DPoP nonce error. Retrying with new nonce.");
@@ -173,7 +174,7 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
                 Error = response.Error
             };
         }
-        
+
         return new ClientCredentialsToken
         {
             AccessToken = response.AccessToken,