Issues with Google OIDC: The OAuth client was not found

[s-ol]

I have SSO working on headscale v0.28.0 and am trying to set up SSO for headplane 0.6.2b5.

Based on the headplane documentation, I'm trying to reuse the existing OIDC credentials created and tested for headscale. Here's the entire oidc config for headscale:

oidc:
  only_start_if_oidc_is_available: true
  issuer: "https://accounts.google.com"
  client_id: "abcdef.apps.googleusercontent.com"
  client_secret_path: "/var/lib/headscale/client_secret.txt"

  extra_params:
    domain_hint: mydomain-a.it

  allowed_domains:
    - mydomain-a.it
    - mydomain-b.it

and here is the headplane oidc config:

oidc:
  issuer: "https://accounts.google.com"
  headscale_api_key: "<redacted>"
  client_id: "abcdef.apps.googleusercontent.com"
  client_secret_path: "/var/lib/headscale/client_secret.txt"
  extra_params:
    domain_hint: mydomain-a.it

When I try to log in via SSO, I see the following request parameters going into Google's OAuth flow:

The login flow continues as expected with the following returned to the headplane callback:

However next I am redirected to a Headplane login error:

Configuration Issue(s)
Authentication with the SSO provider failed. Please try again later. Headplane logs may provide more information.

The container logs:

[auth] ERROR: Got an OIDC response error body: {"error":"invalid_client","error_description":"The OAuth client was not found."}

I've double checked the client_id passed to the Google OAuth flow and it matches the one displayed in the google cloud configuration and is correct in both config files also. The secret is mounted in a volume at the same location in both containers. What else can I check? I don't really understand what could be wrong at this point. Any help diagnosing this would be appreciated :)

[SamuelGaona]

+1

[alastairyu]

Found a workaround, it looks like for google sso, the authentication method that the function negotiateTokenEndpointAuthMethod uses is ClientSecretBasic. For whatever reason this method isn't supported properly in this authentication flow.

A workaround is to set the param:

oidc:
  token_endpoint_auth_method: "client_secret_post"

which is what openid-client defaults to if you don't set a clientAuthentication function.

Tested on headscale v0.28.0 and headplane v0.6.2

[s-ol]

Thank you @alastairyu! I can confirm this works for me as well.

[s-ol]

Since this seems to be a bug (either regarding the autodetection of auth method to use, or the implmentation of the ClientSecretBasic method) I opened #493 to track the resolution.

@tale I never used the Github discussions feature before so I'm not sure about etiquette here - should this be closed as "resolved" since there is now an issue that tracks the topic? Or should I leave it open (to give visibility) until the issue is resolved?