Version: Docker image oryd/hydra:v1.0.0-rc.6_oryOS.10
This will cause issues with clients that rely on the basic auth header vs posting the client_id in the body. Those clients will attempt to post with a valid username:null_password combo, which hydra then denies (depending on configuration) because either…
a) the client is only allowed to use “none” for token_endpoint_auth_method
b) the bcrypt password appears to be generated, and isn’t actually a blank password.
The only actual work-around I’ve been able to do for this is to manually update the bcrypt value to one thats actually a null password, but manually updating the DB for something like this won’t scale, and becomes a massive headache.
I figured I’d post here because this could be considered a bug, but I’d like some insight into the thought process behind forcing the client_id into the body.