OIDC with Hello.Dev Invalid_Client Error

[murfasa]

Description

Hi, thank you for your work on this awesome project! Upgrading from wireguard+wg-dashboard to headscale+headplane has been a breeze.

Unfortunately, I am having a similar issue as #311 while trying to get OIDC set up with hello.dev. Already have it working with headscale connected to hello.dev.

I was able to get OIDC login working on v0.6.2-beta.2 and v0.6.2-beta.3, however the Machines page breaks when I downgrade to that version. Did not work on v0.6.2-beta.4 and up.

Any ideas or suggestions?

Configuration Issue(s)
Authentication with the SSO provider failed. Please try again later. Headplane logs may provide more information.

2026-03-08T02:58:30.871Z [auth] ERROR: Got an OIDC response error body: {"error":"invalid_client","error_description":"client_id does not match session client_id"}
Headplane config:

oidc:
  enabled: true
  issuer: "https://issuer.hello.coop"
  headscale_api_key: "REDACTED"
  client_id: "app_REDACTED"
  client_secret: "REDACTED"
  use_pkce: true
  disable_api_key_login: false

Headplane Version

v0.6.2 (latest)

Headscale Version

v0.28.0 (stable)

[tale]

Is your issuer missing a trailing slash by any chance? I know specific IdPs are very strict about this. Also it seems like there may just be cookie issues that might be fixed from clearing cookies. I'll have to investigate on my own, but just some initial suggestions.

[murfasa]

Added a trailing slash to issuer but got the same result. Have tried different browsers, reloading cache, and a separate machine.

oidc:
  enabled: true
  issuer: "https://issuer.hello.coop/"

OIDC integration works without the trailing slash on v0.6.2-beta.2 and v0.6.2-beta.3, just not past that. It did not work with the trailing slash on these versions.

[murfasa]

After digging into the source and checking hello.coop's discovery document, the root cause is actually on hello.coop's side. Their discovery document advertises client_secret_basic as the only supported token endpoint auth method:

"token_endpoint_auth_methods_supported": ["client_secret_basic"]

My educated guess is Headplane's heuristic in negotiateTokenEndpointAuthMethod correctly reads this & selects client_secret_basic, which sends credentials in the Authorization header. However, hello.coop's token endpoint does not appear to work with credentials in the Authorization header, despite advertising client_secret_basic in their discovery document.

Workaround: explicitly override the auth method in your config to bypass the heuristic:

oidc:
  issuer: "https://issuer.hello.coop"
  client_id: "your-client-id"
  client_secret: "your-client-secret"
  use_pkce: true
  token_endpoint_auth_method: "client_secret_post"