Add configuration option for OIDC token endpoint authentication method

[alu64]

Add configuration option for OIDC token endpoint authentication method

Problem Description

OpenCloud currently uses client_secret_basic authentication method (hardcoded) when exchanging authorization codes for tokens with external OIDC providers. Some OIDC providers only support client_secret_post authentication, making them incompatible with OpenCloud.

There is no environment variable or configuration option to change this behavior.

Current Behavior

When connecting to an external OIDC provider (e.g., PocketID):

1. OpenCloud initiates OIDC flow successfully
2. User authenticates with provider
3. Provider redirects back with authorization code
4. OpenCloud sends token request using client_secret_basic (Authorization header)
5. Provider returns 400 error: "Client id or secret not provided" (because it expects client_secret_post)
6. Authentication fails

Expected Behavior

OpenCloud should provide a configuration option to specify the token endpoint authentication method:

# Environment variable example
OIDC_TOKEN_ENDPOINT_AUTH_METHOD=client_secret_post

# Or via config file
oidc:
  token_endpoint_auth_method: client_secret_post

Or better yet, auto-detect from provider's .well-known/openid-configuration:

{
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ]
}

Technical Details

OAuth 2.0 defines two standard client authentication methods:

1. client_secret_basic (OpenCloud's current method):

   Authorization: Basic base64(client_id:client_secret)
   

2. client_secret_post (needed for some providers):

   POST body parameters:
   client_id=xxx&client_secret=xxx
   

Impact

This prevents OpenCloud from integrating with OIDC providers that only support client_secret_post:

• PocketID - open source identity provider
• Various other IdPs with strict OAuth 2.0 compliance

Environment

• OpenCloud version: opencloudeu/opencloud-rolling:latest
• Affected services: proxy, web
• External OIDC provider: PocketID (and others)

Steps to Reproduce

1. Configure OpenCloud to use PocketID as external OIDC provider:

   WEB_OIDC_CLIENT_ID=xxx
   WEB_OIDC_CLIENT_SECRET=xxx
   OC_OIDC_ISSUER=https://sso.example.com
   PROXY_OIDC_ISSUER=https://sso.example.com

2. Attempt to login via web interface

3. Complete authentication with PocketID

4. Observe token exchange failure with error: "Client id or secret not provided"

5. Check network logs - credentials sent in Authorization header instead of POST body

Proposed Solution

Option 1: Add configuration variable (quick fix)

OIDC_TOKEN_ENDPOINT_AUTH_METHOD=client_secret_post  # or client_secret_basic (default)

Option 2: Auto-detect from provider (better solution)

1. Read token_endpoint_auth_methods_supported from .well-known/openid-configuration
2. Use provider's preferred method
3. Fall back to client_secret_basic if not specified

Option 3: Support both methods

• Try client_secret_basic first (current behavior)
• If 400/401 error, retry with client_secret_post

Workaround

None available - provider must support client_secret_basic authentication method.

Related Environment Variables

Current OIDC configuration options:

WEB_OIDC_CLIENT_ID
WEB_OIDC_CLIENT_SECRET
OC_OIDC_ISSUER
PROXY_OIDC_ISSUER
OCIS_OIDC_ISSUER
WEB_OIDC_METADATA_URL
WEB_OIDC_AUTHORITY
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD

Missing:

OIDC_TOKEN_ENDPOINT_AUTH_METHOD  # <-- This is needed

References

• OAuth 2.0 Client Authentication: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
• OpenID Connect Client Authentication: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Additional Context

This is blocking migration from Authentik to PocketID for OpenCloud deployments. Both are excellent products, but this authentication method incompatibility prevents their integration.