Problem statement
After setting up an OIDC connection, login attempts fail with an error message:
invalid_client (Invalid authentication method for accessing this endpoint.)
Symptoms
Error message in tenant logs:
"error": {
"message": "invalid_client (Invalid authentication method for accessing this endpoint.)",
"oauthError": "invalid_request",
"type": "request-error"
},
Troubleshooting
This error happens if an OIDC connection is configured to use Back Channel mode with the IdP using Basic Auth.
To check if the connection uses Basic Auth, try the following steps:
- Inspect the connection setting and find its token endpoint
- Try mimicking an access token request both with POST and Basic authentication methods
The POST method should be able to replicate the error message (e.g. “Invalid authentication method…”), and there should be a different message when using the Basic Auth method (e.g. “Client authentication failed…”) This implies the endpoint only accepts Basic Auth.
Auth0 puts client_id and client_secret along with the authorization code in the POST request payload to get an access token, but some endpoints require Basic Auth, where the client_id and client_secret are Base 64 encoded and included in the request header. At the moment, the client secret basic scheme is not supported for the OIDC enterprise connection.
Cause
This error happens if an OIDC connection is configured to use Back Channel mode with the IdP using Basic Auth.
Solution
While supporting Basic Auth is on the roadmap, for the time being the alternatives are to either see if it is possible for the IdP to accept the POST authentication method, or if they are able to use the front-channel option, which implements implicit flow and if the IdP supports it may be a short-term alternative.