From df93578ab7e06d4ab6e7b676d65c7b1c2e449b60 Mon Sep 17 00:00:00 2001
From: Cyrill Troxler <cyrill@nine.ch>
Date: Tue, 9 Sep 2025 09:02:06 +0200
Subject: [PATCH] feat: improve client_credentials login error

This is especially useful in CI/CD when setting the
client_id/client_secret via env.
---
 auth/client_credentials.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/auth/client_credentials.go b/auth/client_credentials.go
index a28d839c..17320c86 100644
--- a/auth/client_credentials.go
+++ b/auth/client_credentials.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"os"
 
 	"github.com/ninech/nctl/api"
@@ -53,7 +54,19 @@ func (a *API) Oauth2Token(ctx context.Context) (*oauth2.Token, error) {
 		ClientSecret: a.ClientSecret,
 		TokenURL:     a.TokenURL,
 	}
-	return clientCredentialsCfg.Token(ctx)
+	tok, err := clientCredentialsCfg.Token(ctx)
+	if rerr, ok := err.(*oauth2.RetrieveError); ok && rerr.ErrorCode == "invalid_client" {
+		redactedClientSecret := a.ClientSecret
+		if len(a.ClientSecret) > 3 {
+			redactedClientSecret = a.ClientSecret[:3] + "<redacted>"
+		}
+		return nil, fmt.Errorf(
+			"%s: the used client ID/secret %q/%q is invalid",
+			rerr.ErrorDescription,
+			a.ClientID, redactedClientSecret,
+		)
+	}
+	return tok, err
 }
 
 func (a *API) UserInfo(ctx context.Context) (*api.UserInfo, error) {