Add configuration option for OIDC token endpoint authentication method

[alu64]

Add configuration option for OIDC token endpoint authentication method

Problem Description

OpenCloud currently uses client_secret_basic authentication method (hardcoded) when exchanging authorization codes for tokens with external OIDC providers. Some OIDC providers only support client_secret_post authentication, making them incompatible with OpenCloud.

There is no environment variable or configuration option to change this behavior.

Current Behavior

When connecting to an external OIDC provider (e.g., PocketID):

1. OpenCloud initiates OIDC flow successfully
2. User authenticates with provider
3. Provider redirects back with authorization code
4. OpenCloud sends token request using client_secret_basic (Authorization header)
5. Provider returns 400 error: "Client id or secret not provided" (because it expects client_secret_post)
6. Authentication fails

Expected Behavior

OpenCloud should provide a configuration option to specify the token endpoint authentication method:

# Environment variable example
OIDC_TOKEN_ENDPOINT_AUTH_METHOD=client_secret_post

# Or via config file
oidc:
  token_endpoint_auth_method: client_secret_post

Or better yet, auto-detect from provider's .well-known/openid-configuration:

{
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ]
}

Technical Details

OAuth 2.0 defines two standard client authentication methods:

1. client_secret_basic (OpenCloud's current method):

   Authorization: Basic base64(client_id:client_secret)
   

2. client_secret_post (needed for some providers):

   POST body parameters:
   client_id=xxx&client_secret=xxx
   

Impact

This prevents OpenCloud from integrating with OIDC providers that only support client_secret_post:

• PocketID - open source identity provider
• Various other IdPs with strict OAuth 2.0 compliance

Environment

• OpenCloud version: opencloudeu/opencloud-rolling:latest
• Affected services: proxy, web
• External OIDC provider: PocketID (and others)

Steps to Reproduce

1. Configure OpenCloud to use PocketID as external OIDC provider:

   WEB_OIDC_CLIENT_ID=xxx
   WEB_OIDC_CLIENT_SECRET=xxx
   OC_OIDC_ISSUER=https://sso.example.com
   PROXY_OIDC_ISSUER=https://sso.example.com

2. Attempt to login via web interface

3. Complete authentication with PocketID

4. Observe token exchange failure with error: "Client id or secret not provided"

5. Check network logs - credentials sent in Authorization header instead of POST body

Proposed Solution

Option 1: Add configuration variable (quick fix)

OIDC_TOKEN_ENDPOINT_AUTH_METHOD=client_secret_post  # or client_secret_basic (default)

Option 2: Auto-detect from provider (better solution)

1. Read token_endpoint_auth_methods_supported from .well-known/openid-configuration
2. Use provider's preferred method
3. Fall back to client_secret_basic if not specified

Option 3: Support both methods

• Try client_secret_basic first (current behavior)
• If 400/401 error, retry with client_secret_post

Workaround

None available - provider must support client_secret_basic authentication method.

Related Environment Variables

Current OIDC configuration options:

WEB_OIDC_CLIENT_ID
WEB_OIDC_CLIENT_SECRET
OC_OIDC_ISSUER
PROXY_OIDC_ISSUER
OCIS_OIDC_ISSUER
WEB_OIDC_METADATA_URL
WEB_OIDC_AUTHORITY
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD

Missing:

OIDC_TOKEN_ENDPOINT_AUTH_METHOD  # <-- This is needed

References

• OAuth 2.0 Client Authentication: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
• OpenID Connect Client Authentication: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Additional Context

This is blocking migration from Authentik to PocketID for OpenCloud deployments. Both are excellent products, but this authentication method incompatibility prevents their integration.

[qdeli187]

Hey ! running into your issue helped me setup oidc 😇

I also use PocketID. Here is a quick how to :

On Opencloud env vars :

OC_OIDC_ISSUER: "https://pocketid.example.com"
# discard opencloud oidc
OC_EXCLUDE_RUN_SERVICES: "idp"
# PROXY_OIDC_REWRITE_WELLKNOWN: true -- That gave me issues but i have cors issues on my side
# next two lines map prefered username to username in opencloud
PROXY_USER_OIDC_CLAIM: "preferred_username"
PROXY_USER_CS3_CLAIM: "username"
# this lets pocketid user signup
PROXY_AUTOPROVISION_ACCOUNTS: true
GRAPH_USERNAME_MATCH: none
# just the id
WEB_OIDC_CLIENT_ID: ${WEB_OIDC_CLIENT_ID}

On Pocket ID side:

• create a client , add all the redirections from the docs
• make the client public (with pkce)

I have run on some cors issues but i think they are not related to this

@rhafer I am unsure whether the issue is still relevant if the project will always expect public oidc clients. I reckon the docs could be impoved on the bring your oidc side. Right now it stipulates the id need to be fixed while it does not seem to be the case. If you are ok with this i am willing to make a PR improving oidc docs.

[alu64]

Thanks for sharing this!
I can confirm that this solution resolves the issue. Thanks for the great suggestion and for providing the workaround—it was a huge help.

[qdeli187]

Great News , I'll also put up as simple role binding for admin (but can be mimicked for other roles too) :

On opencloud side , add the following env vars :

# this will look for "opencloudRole" in the jwt to get the role name
PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: opencloudRole

On pocket id :

• create a user group for a role you want
• Add a custom claim (key=opencloudRole value=opencloudRoleValue)

Use the "default mapping" defined here to set the correct value ( claim_value = opencloudRoleValue)

You can create different user groups with different roles based on your needs. Just finished setting up everything on my side this project is awesome and much simpler to setup than other oss competitors in the field

A great thanks to maintainers and contributors for that ! 😍

[alu64]

I was wondering about client compatibility. Have you tried using the OpenCloudDesktop or Android App with Pocket ID authentication?

Would love to hear about your experiences if you've tested these clients.
Thanks again for sharing your setup! 😊

[micbar]

The server #2072 has landed.

That should make it a lot easier.

We still need the 4 client platforms to change, but once that is done and released, it should work with server side discovery of client id and scopes.