[Feature] Support client_secret_post for OIDC token exchange (OAuth 2.1 providers like Supabase) #3042
Description
Use case
I’m running Headscale with Supabase OAuth Server as the identity provider. Supabase requires client_secret_post during the token exchange (OAuth 2.1), and the current Headscale behavior uses HTTP Basic auth, which causes the token exchange to fail with invalid_grant.
Description
Add a configurable OIDC client authentication style so token exchange can use client_secret_post (in addition to the current default/basic behavior). This would allow Headscale to work with OAuth 2.1 providers that require POST-based client authentication.
Contribution
- I can write the design doc for this feature
- I can contribute this feature
How can it be implemented?
Introduce a new config option like oidc.client_auth_style: auto|basic|post (default auto).
When set to post, set oauth2.Endpoint.AuthStyle = oauth2.AuthStyleInParams before calling oauth2.Exchange.
(note: I’m not familiar with the Go stack, so the code was AI-assisted. But I have tested the flow myself and confirmed it works with Supabase. )