OIDC Authentik not working (Internal Server Error - OAUTH_INVALID_RESPONSE)

[rudstone]

Description

I have trouble to working my OIDC configuration with Authentik provider.

Now, when I try to login in WebAdmin, I have an error during OIDC callback:

{
  "code": 500,
  "error": {
    "name": "Internal Server Error",
    "description": "An unknown error occurred"
  }
}

Container logs (OAUTH_INVALID_RESPONSE) :

d35dff16236d 2026-02-02T14:33:37.824Z [auth] ERROR: Unknown error: ClientError: invalid response encountered
d35dff16236d     at e (file:///app/node_modules/.pnpm/openid-client@6.7.0/node_modules/openid-client/build/index.js:116:12)
d35dff16236d     at errorHandler (file:///app/node_modules/.pnpm/openid-client@6.7.0/node_modules/openid-client/build/index.js:139:23)
d35dff16236d     at Module.authorizationCodeGrant (file:///app/node_modules/.pnpm/openid-client@6.7.0/node_modules/openid-client/build/index.js:953:9)
d35dff16236d     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
d35dff16236d     at async finishAuthFlow (file:///app/build/server/assets/server-build.js:611:17)
d35dff16236d     at async loader$14 (file:///app/build/server/assets/server-build.js:715:14)
d35dff16236d     at async callRouteHandler (file:///app/node_modules/.pnpm/react-router@7.8.1_react-dom@19.1.1_react@19.1.1__react@19.1.1/node_modules/react-router/dist/development/chunk-IFMMFE4R.mjs:509:16)
d35dff16236d     at async commonRoute.loader (file:///app/node_modules/.pnpm/react-router@7.8.1_react-dom@19.1.1_react@19.1.1__react@19.1.1/node_modules/react-router/dist/development/chunk-IFMMFE4R.mjs:658:19)
d35dff16236d     at async file:///app/node_modules/.pnpm/react-router@7.8.1_react-dom@19.1.1_react@19.1.1__react@19.1.1/node_modules/react-router/dist/development/chunk-UH6JLGW7.mjs:4327:19
d35dff16236d     at async callLoaderOrAction (file:///app/node_modules/.pnpm/react-router@7.8.1_react-dom@19.1.1_react@19.1.1__react@19.1.1/node_modules/react-router/dist/development/chunk-UH6JLGW7.mjs:4379:16) {
d35dff16236d   code: 'OAUTH_INVALID_RESPONSE',
d35dff16236d   [cause]: [OperationProcessingError]
d35dff16236d }

Here is my headplane/config.yaml file :

oidc:
  issuer: "https://sso.example.tld/application/o/headscale/"
  client_id: "XXXXXXXXXXXXXX"
  client_secret: "XXXXXXXXXXXXXX"
  headscale_api_key: "XXXXXXXXXXXXXX"
  disable_api_key_login: true
  token_endpoint_auth_method: client_secret_basic

Headplane Version

0.6.1

Headscale Version

v0.27.1

[mileyceberus]

You need to

1. review your Authentik's log (Admin Interface > Events > Logs).
2. triple check your headscale configurations against the integration guide.
3. confirm that your Authentik's ssl cert is trusted (if using private cert).
4. disable encryption in your headscale provider config (if it's set).

Good luck.

[dennisbaremans-cmyk]

I have the same setup, which is working.
Only differences in oidc:
token_endpoint_auth_method: "client_secret_post"
use_pkce: true

Most likely the missing use_pkce: true is the issue.

[tale]

This appears to be a configuration issue rather than a bug — the comments confirm that setting use_pkce: true and token_endpoint_auth_method: client_secret_post resolves it for Authentik. Converting this to a discussion for community reference.