From e95243ae68c549dde5cd7d2e66a2ab4dc7fc7fc8 Mon Sep 17 00:00:00 2001 From: Gerard Alvear Porras <55630227+Elgeryy1@users.noreply.github.com> Date: Sat, 11 Jul 2026 17:35:01 +0200 Subject: [PATCH] Document OIDC token endpoint authentication method (#9027) Explain that mod_auth_openidc defaults to client_secret_basic since our reference Apache configuration does not set OIDCProviderTokenEndpointAuth. If the identity provider's discovery metadata advertises a token_endpoint_auth_methods_supported array instead, mod_auth_openidc picks the first mutually supported method from that array rather than falling back to client_secret_basic. Also point to the .htaccess override for administrators who need something else. This only addresses the token-endpoint-auth-method part of #6102; the redirect-URI-port question raised in that issue is out of scope here. Addresses the token-endpoint-auth-method part of #6102 Co-authored-by: Gerard Alvear --- docs/en/admins/16_OpenID-Connect.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/en/admins/16_OpenID-Connect.md b/docs/en/admins/16_OpenID-Connect.md index 373bcd231..da2488748 100644 --- a/docs/en/admins/16_OpenID-Connect.md +++ b/docs/en/admins/16_OpenID-Connect.md @@ -49,6 +49,11 @@ OIDC support in Docker is activated by the presence of a non-empty non-zero `OID You may add additional custom configuration in a new `./FreshRSS/p/i/.htaccess` file. +### Token endpoint authentication method + +Our [reference Apache configuration](https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/FreshRSS.Apache.conf) does not set `OIDCProviderTokenEndpointAuth`, so [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc) falls back to its own default, `client_secret_basic` (i.e. the client ID and secret are sent in an HTTP Basic Authentication header when calling the token endpoint). If your identity provider’s discovery metadata advertises a `token_endpoint_auth_methods_supported` array, mod_auth_openidc instead uses the first method in that array that it also supports, which may not be `client_secret_basic`. +If you need a different method, you can set `OIDCProviderTokenEndpointAuth` yourself in a custom `./FreshRSS/p/i/.htaccess` file, as mentioned above. + ## Using own Apache installation See our reference [Apache configuration](https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/FreshRSS.Apache.conf) for more information.