From 4e2e985c88ec436815fc9c13fc9d85c58e6f3172 Mon Sep 17 00:00:00 2001 From: Afiya Date: Fri, 13 Mar 2026 18:37:30 +0200 Subject: [PATCH 1/2] auth_oidc: models: res_users: Send cleint secret as well Otherwise most OIDC providers will fail the token endpoint call Signed-off-by: Afiya Thorn --- auth_oidc/models/res_users.py | 1 + 1 file changed, 1 insertion(+) diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py index 1684480fa4..f21e11cd07 100644 --- a/auth_oidc/models/res_users.py +++ b/auth_oidc/models/res_users.py @@ -31,6 +31,7 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params): oauth_provider.token_endpoint, data=dict( client_id=oauth_provider.client_id, + client_secret=oauth_provider.client_secret, grant_type="authorization_code", code=code, code_verifier=oauth_provider.code_verifier, # PKCE From 9fb5692982413f2f622a3d27ab0643bb4fd02951 Mon Sep 17 00:00:00 2001 From: Afiya Thorn Date: Fri, 13 Mar 2026 20:34:53 +0200 Subject: [PATCH 2/2] auth_oidc: Added an option to disable Client Secret Post So it's not enabled by default, but the user can still enable it if their OIDC provider requires it Signed-off-by: Afiya Thorn --- auth_oidc/models/auth_oauth_provider.py | 3 +++ auth_oidc/models/res_users.py | 21 +++++++++++++-------- auth_oidc/views/auth_oauth_provider.xml | 1 + 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py index d5d1a82772..b3aeae5054 100644 --- a/auth_oidc/models/auth_oauth_provider.py +++ b/auth_oidc/models/auth_oauth_provider.py @@ -38,6 +38,9 @@ class AuthOauthProvider(models.Model): client_secret = fields.Char( help="Used in OpenID Connect authorization code flow for confidential clients.", ) + client_secret_post = fields.Boolean( + help="Use Client Secret in authorization post requests" + ) code_verifier = fields.Char( default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE." ) diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py index f21e11cd07..531526ce96 100644 --- a/auth_oidc/models/res_users.py +++ b/auth_oidc/models/res_users.py @@ -27,16 +27,21 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params): auth = None if oauth_provider.client_secret: auth = (oauth_provider.client_id, oauth_provider.client_secret) + + post_data = dict( + client_id=oauth_provider.client_id, + grant_type="authorization_code", + code=code, + code_verifier=oauth_provider.code_verifier, # PKCE + redirect_uri=request.httprequest.url_root + "auth_oauth/signin", + ) + + if oauth_provider.client_secret_post: + post_data["client_secret"] = oauth_provider.client_secret + response = requests.post( oauth_provider.token_endpoint, - data=dict( - client_id=oauth_provider.client_id, - client_secret=oauth_provider.client_secret, - grant_type="authorization_code", - code=code, - code_verifier=oauth_provider.code_verifier, # PKCE - redirect_uri=request.httprequest.url_root + "auth_oauth/signin", - ), + data=post_data, auth=auth, timeout=10, ) diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml index c890fb55a8..c9d65a36e5 100644 --- a/auth_oidc/views/auth_oauth_provider.xml +++ b/auth_oidc/views/auth_oauth_provider.xml @@ -14,6 +14,7 @@ +