Skip to content

OIDC client_secret_basic is broken (with Google SSO) #493

New issue
New issue
Open
Open
OIDC client_secret_basic is broken (with Google SSO)#493
Assignees
tale
Labels
BugSomething isn't workingNeeds TriageIssues yet to be triaged
@s-ol

Description

@s-ol
s-ol
opened on Mar 9, 2026

Description

Also see #457. When using the same OIDC config that works in headscale with headplane, authentication fails

Configuration Issue(s)
Authentication with the SSO provider failed. Please try again later. Headplane logs may provide more information.

[auth] ERROR: Got an OIDC response error body: {"error":"invalid_client","error_description":"The OAuth client was not found."}

Workaround discovered by @alastairyu:

A workaround is to set the param:

oidc:
  token_endpoint_auth_method: "client_secret_post"

The documentation comment for token_endpoint_auth_method reads

The authentication method to use when communicating with the token endpoint.
This is fully optional and Headplane will attempt to auto-detect the best method and fall back to client_secret_basic if unsure.

It seems that the auto-detection is failing and/or that the fallback method client_secret_basic is not working.

Headplane Version

v0.6.2

Headscale Version

v0.28.0

Metadata

Metadata

Assignees

Labels

BugSomething isn't workingNeeds TriageIssues yet to be triaged

Projects

Headplane

Status

Todo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions