auth_oidc: models: res_users: Send cleint secret as well

[okawo80085]

Otherwise most OIDC providers will fail the token endpoint call

This is a bug fix btw

[OCA-git-bot]

Hi @sbidoul,
some modules you are maintaining are being modified, check this out!

[okawo80085]

Oh yea and it's also needed in 19.0 and any other version that wants to use OIDC providers that verify client secrets when processing token calls

[sbidoul]

Not sure it is a bug. Possibly a missing feature.

Section 9. here seems relevant: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
It says the default authentication method is client_secret_basic, which we use here.
What you want seems to be client_secret_post.

Actually I'm not sure it is ok to send the client secret in the body unconditionally.

https://www.rfc-editor.org/rfc/rfc6749.txt section 2.3.1 says Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED.

So yeah, I think this is not obvious at all and requires more investigation.

Do you have more evidence to share?

[okawo80085]

Well, with PocketID (the OIDC provider im running) it's not optional, so if not unconditionally, it should at least be possible to enable it using a config option, if you show me the docs or an example on how to access options from odoo.conf i'll add in like 5 minutes

[okawo80085]

Or wait, better yet, i'll add an option for it in the Oauth provider edit page

[okawo80085]

As for the bug itself, i can show you the logs of what happens if i dont provide the client_secret field in the post requests

[okawo80085]

Here are the logs btw

odoo2-1  | 2026-03-13 17:20:59,970 7 INFO fwdb2 werkzeug: 172.18.0.5 - - [13/Mar/2026 17:20:59] "GET /web/login?redirect=/odoo? HTTP/1.1" 200 - 6 0.003 0.008
odoo2-1  | 2026-03-13 17:21:04,383 7 ERROR fwdb2 odoo.addons.auth_oauth.controllers.main: Exception during request handling 
odoo2-1  | Traceback (most recent call last):
odoo2-1  |   File "/usr/lib/python3/dist-packages/odoo/addons/auth_oauth/controllers/main.py", line 139, in signin
odoo2-1  |     _, login, key = request.env['res.users'].with_user(SUPERUSER_ID).auth_oauth(provider, kw)
odoo2-1  |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
odoo2-1  |   File "/mnt/extra-addons/auth_oidc/models/res_users.py", line 56, in auth_oauth
odoo2-1  |     access_token, id_token = self._auth_oauth_get_tokens_auth_code_flow(
odoo2-1  |                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
odoo2-1  |   File "/mnt/extra-addons/auth_oidc/models/res_users.py", line 43, in _auth_oauth_get_tokens_auth_code_flow
odoo2-1  |     response.raise_for_status()
odoo2-1  |   File "/usr/lib/python3/dist-packages/requests/models.py", line 1021, in raise_for_status
odoo2-1  |     raise HTTPError(http_error_msg, response=self)
odoo2-1  | requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://id.<mydomain>.com.ua/api/oidc/token
odoo2-1  | 2026-03-13 17:21:04,388 7 INFO fwdb2 werkzeug: 172.18.0.5 - - [13/Mar/2026 17:21:04] "GET /auth_oauth/signin?code=K0LjDBc1E63gW5E6GTld542E6ciCcQK0&state={"d":+"fwdb2",+"p":+4,+"r":+"http%253A%252F%252Fodoo2.s2.<mydomain>.com.ua%252Fodoo%253F"}&iss=https://id.<mydomain>.com.ua HTTP/1.1" 303 - 2 0.002 0.227

[okawo80085]

If i add the client_secret field, the request doesn't fail anymore

[okawo80085]

Now it's not enabled by default, but the user can still enable it if their OIDC provider requires it

[okawo80085]

Forgot to disable by auto format and it changed more code then i needed to touch, so repushed