diff --git a/app/utils/config/headplane.ts b/app/utils/config/headplane.ts index fd39b32..3bde49a 100644 --- a/app/utils/config/headplane.ts +++ b/app/utils/config/headplane.ts @@ -28,6 +28,7 @@ export interface HeadplaneContext { client: string secret: string rootKey: string + method: string disableKeyLogin: boolean } } @@ -143,6 +144,7 @@ async function checkOidc(config?: HeadscaleConfig) { let issuer = process.env.OIDC_ISSUER let client = process.env.OIDC_CLIENT_ID let secret = process.env.OIDC_CLIENT_SECRET + let method = process.env.OIDC_CLIENT_SECRET_METHOD ?? 'client_secret_basic' log.debug('CTXT', 'Checking OIDC environment variables') log.debug('CTXT', 'Issuer: %s', issuer) @@ -161,6 +163,7 @@ async function checkOidc(config?: HeadscaleConfig) { issuer, client, secret, + method, rootKey, disableKeyLogin, } @@ -204,6 +207,7 @@ async function checkOidc(config?: HeadscaleConfig) { client, secret, rootKey, + method, disableKeyLogin, } } diff --git a/app/utils/oidc.ts b/app/utils/oidc.ts index 191ae4a..70da015 100644 --- a/app/utils/oidc.ts +++ b/app/utils/oidc.ts @@ -36,7 +36,7 @@ export async function startOidc(oidc: OidcConfig, req: Request) { const issuerUrl = new URL(oidc.issuer) const oidcClient = { client_id: oidc.client, - token_endpoint_auth_method: 'client_secret_basic', + token_endpoint_auth_method: oidc.method, } satisfies Client const response = await discoveryRequest(issuerUrl) @@ -91,7 +91,7 @@ export async function finishOidc(oidc: OidcConfig, req: Request) { const oidcClient = { client_id: oidc.client, client_secret: oidc.secret, - token_endpoint_auth_method: 'client_secret_basic', + token_endpoint_auth_method: oidc.method, } satisfies Client const response = await discoveryRequest(issuerUrl) diff --git a/docs/Configuration.md b/docs/Configuration.md index 81d7236..88d5001 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -34,6 +34,7 @@ If you use the Headscale configuration integration, these are not required. - **`OIDC_ISSUER`**: The issuer URL of your OIDC provider. - **`OIDC_CLIENT_ID`**: The client ID of your OIDC provider. - **`OIDC_CLIENT_SECRET`**: The client secret of your OIDC provider. +- **`OIDC_CLIENT_SECRET_METHOD`**: The method used to send the client secret (default: `client_secret_basic`). - **`ROOT_API_KEY`**: An API key used to issue new ones for sessions (keep expiry fairly long). - **`DISABLE_API_KEY_LOGIN`**: If you want to disable API key login, set this to `true`.