http-basic-auth headers for external OAuth source #9289
Description
Describe your question
Is there a way to have authentik send http-basic-auth headers (as per RFC6749 2.3.1) for external IdPs? I can't find any settings regarding this and it doesn't seem to do that by default.
Relevant info
An external IdP we use as a login source updated their underlying software. They now require applications to send http-basic-auth headers for OIDC client authentication. Before the update, login worked just fine.
Now we receive an error message: "Authentication failed: Could not retrieve token." and the logs show an HTTP 401 Unauthorized error, when trying to reach the IdP's token endpoint.
Logs
server-1:
{
"auth_via": "unauthenticated",
"domain_url": "[authentik.idp]",
"event": "Unable to fetch access token",
"exc": "HTTPError('401 Client Error: Unauthorized for url: https://[external.idp]/oauth2/token')",
"host": "[authentik.idp]",
"level": "warning",
"logger": "authentik.sources.oauth.clients.oauth2",
"pid": 55,
"request_id": "51bca021eac7412bb2e54233753761cf",
"response": "401 Client Error: Unauthorized for url: https://[external.idp]/oauth2/token",
"schema_name": "public",
"timestamp": "2024-04-15T11:22:40.705924"
}
Note that [url.idp] is redacted.
Version and Deployment:
- authentik version: 2024.2.2
- Deployment: docker-compose