GLPI-Agent inventory task with oauth token authentication is refused (403) #21238
Description
Code of Conduct
- I agree to follow this project's Code of Conduct
Is there an existing issue for this?
- I have searched the existing issues
Version
11
Bug description
Since version 11 RC5, when the glpi-agent (1.15) does an inventory task, the server refuses the connection (403 forbidden). This worked up to 11 RC4. Nothing was changed on the agent side.
Relevant log output
Server log:
[01/Oct/2025:17:35:57 +0200] "POST / HTTP/1.1" 401 705 "-" "GLPI-Agent_v1.15"
[01/Oct/2025:17:35:57 +0200] "POST /api.php/token HTTP/1.1" 403 318 "-" "GLPI-Agent_v1.15"
Agent error log:
[Wed Oct 1 17:35:51 2025][info] target server0: server [server-url]
[Wed Oct 1 17:35:52 2025][info] sending prolog request to server0
[Wed Oct 1 17:35:52 2025][debug] [http client] Updating keystore known certificates
[Wed Oct 1 17:35:55 2025][debug] [http client] authentication required, querying oauth access token on [server-url]/api.php/token
[Wed Oct 1 17:35:56 2025][error] [http client] Failed to request oauth access token: 403 Forbidden
[Wed Oct 1 17:35:56 2025][error] No supported answer from server at [server-url]Page URL
No response
Steps To reproduce
In GLPI, set up an oauth client under "Setup" with the preferences below. Install the official glpi agent (1.15), pointing it to the GLPI server and use the oauth token and id you received from the server. Force the agent to perform the inventory task: glpi-agent -f.
Your GLPI setup information
The setup uses the official docker image (glpi/glpi:11) behind a reverse proxy (caddy).
The oauth client has the following settings:
Grants: "Client credentials" (also tried with all other options selected)
Scopes: "Inventory" (also tried with "API")
Authorized redirect URIs: "/api.php/token" and the default ones ("/api.php/oauth2/redirection", "/api.php/swagger-oauth-redirect")
IP Restrictions: none
Anything else?
No response