test added

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/PasswordGrantAuthenticationManager.java

@@ -137,7 +137,7 @@ Authentication oidcPasswordGrant(Authentication authentication, OIDCIdentityProv
         if (clientSecret == null && config.getJwtClientAuthentication() == null && config.getAuthMethod() == null) {
             throw new ProviderConfigurationException("External OpenID Connect provider configuration is missing relyingPartySecret, jwtclientAuthentication or authMethod.");
         }
-        String calcAuthMethod = ClientAuthentication.getCalculatedMethod(config.getAuthMethod(), config.getRelyingPartySecret() != null, config.getJwtClientAuthentication() != null);
+        String calcAuthMethod = ClientAuthentication.getCalculatedMethod(config.getAuthMethod(), clientSecret != null, config.getJwtClientAuthentication() != null);
         String userName = authentication.getPrincipal() instanceof String ? (String)authentication.getPrincipal() : null;
         if (userName == null || authentication.getCredentials() == null || !(authentication.getCredentials() instanceof String)) {
             throw new BadCredentialsException("Request is missing username or password.");

server/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/PasswordGrantAuthenticationManagerTest.java

@@ -51,6 +51,8 @@
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
 
+import java.net.MalformedURLException;
+import java.net.URI;
 import java.net.URL;
 import java.text.ParseException;
 import java.util.ArrayList;
@@ -876,6 +878,23 @@ void oidcPasswordGrant_credentialsMustBeString() {
         assertThrows(BadCredentialsException.class, () -> instance.oidcPasswordGrant(authentication, config));
     }
 
+    @Test
+    void oidcPasswordGrant_credentialsMustBeStringButNoSecretNeeded() throws MalformedURLException {
+        RestTemplate restTemplate = mock(RestTemplate.class);
+        ResponseEntity responseEntity = mock(ResponseEntity.class);
+        UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken("user", "");
+        OIDCIdentityProviderDefinition config = new OIDCIdentityProviderDefinition()
+            .setRelyingPartyId("client-id").setTokenUrl(URI.create("http://localhost:8080/uaa/oauth/token").toURL());
+        config.setAuthMethod("none");
+        OIDCIdentityProviderDefinition spyConfig = spy(config);
+        when(restTemplateConfig.nonTrustingRestTemplate()).thenReturn(restTemplate);
+        when(restTemplate.exchange(anyString(), any(HttpMethod.class), any(HttpEntity.class), any(ParameterizedTypeReference.class))).thenReturn(responseEntity);
+        when(responseEntity.hasBody()).thenReturn(true);
+        when(responseEntity.getBody()).thenReturn(Map.of("id_token", "dummy"));
+        assertNull(instance.oidcPasswordGrant(authentication, spyConfig));
+        verify(spyConfig, atLeast(2)).getAuthMethod();
+    }
+
     @Test
     void oidcPasswordGrant_requireAuthenticationStatement() {
         UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken("user", new Object());

server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/OauthIdentityProviderDefinitionFactoryBeanTest.java

@@ -285,7 +285,7 @@ public void testAuthMethodSetInvalidValue() {
 
     @Test
     public void testAuthMethodSet() {
-        // given: 2 similar entry because of issue #2752
+        // given: jwtclientAuthentication, but overrule it with authMethod=none
         idpDefinitionMap.put("jwtclientAuthentication", true);
         idpDefinitionMap.put("authMethod", "none");
         idpDefinitionMap.put("type", OriginKeys.OIDC10);