From 7eee61b80870754aecef5de43c0ea1afe0117968 Mon Sep 17 00:00:00 2001
From: Taras Glek <taras@glek.net>
Date: Thu, 17 Apr 2025 09:36:17 +0300
Subject: [PATCH] feat(oidc-auth): support empty OIDC client secret

---
 .changeset/every-pugs-wave.md   |  5 +++++
 packages/oidc-auth/src/index.ts | 17 ++++++++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)
 create mode 100644 .changeset/every-pugs-wave.md

diff --git a/.changeset/every-pugs-wave.md b/.changeset/every-pugs-wave.md
new file mode 100644
index 00000000..c21589d1
--- /dev/null
+++ b/.changeset/every-pugs-wave.md
@@ -0,0 +1,5 @@
+---
+'@hono/oidc-auth': major
+---
+
+Support empty OIDC_CLIENT_SECRET
diff --git a/packages/oidc-auth/src/index.ts b/packages/oidc-auth/src/index.ts
index 4975a008..3874519b 100644
--- a/packages/oidc-auth/src/index.ts
+++ b/packages/oidc-auth/src/index.ts
@@ -167,11 +167,18 @@ export const getClient = (c: Context): oauth2.Client => {
   const env = getOidcAuthEnv(c)
   let client = c.get('oidcClient')
   if (client === undefined) {
-    client = {
-      client_id: env.OIDC_CLIENT_ID,
-      client_secret: env.OIDC_CLIENT_SECRET,
-      token_endpoint_auth_method: 'client_secret_basic',
-    }
+    client =
+      env.OIDC_CLIENT_SECRET === ''
+        ? {
+            // No client secret provided, use 'none' auth method
+            client_id: env.OIDC_CLIENT_ID,
+            token_endpoint_auth_method: 'none',
+          }
+        : {
+            client_id: env.OIDC_CLIENT_ID,
+            client_secret: env.OIDC_CLIENT_SECRET,
+            token_endpoint_auth_method: 'client_secret_basic',
+          }
     c.set('oidcClient', client)
   }
   return client