Skip to content

Problem: Okta authentication fails #3348

New issue
New issue
Closed
Feature
#3360
Closed
Problem: Okta authentication fails#3348
Feature
#3360
Assignees
fiftincopilot-swe-agent
Labels
backend
Milestone
2.17
@skarczjh

Description

@skarczjh
skarczjh
opened on Oct 6, 2025

Issue

The Semaphore UI application (running on Google Cloud Run) is failing the OpenID Connect (OIDC) authentication flow with a persistent invalid_client error during the Authorization Code Exchange step with the identity provider (Okta). All external configurations (Issuer URL, Redirect URI, and Client Authentication Method on the provider's side) have been validated as correct.

The root cause is a protocol mismatch: the Semaphore application is likely sending credentials using the standard method, which conflicts with the provider's stricter requirement.

Component Value/Status
Application Semaphore UI (semaphore/pro/server:latest)
Deployment Google Cloud Run (Project ID removed)
IDP Okta (Domain removed)
Error level=error msg="oauth2: "invalid_client" "Client authentication failed. Either the client or the client credentials are invalid."
Token Endpoint /oauth2/v1/token

Confirmed Configuration (Correct)

The following parameters have been confirmed to be correct and match the identity provider's expectations:

  • Issuer URL: Confirmed correct (Base URL removed).

  • Redirect URI: Confirmed set in Okta (Domain removed).

  • Okta Client Auth Method: client_secret_post (Confirmed by Administrator).

  • Client Credentials: Validated via manual external test (e.g., Postman).

Observed Behavior (The Protocol Mismatch)

The error strongly indicates that the Semaphore application is defaulting to the standard OIDC method for confidential clients:

  • Semaphore's Action (Likely Default): The application is sending the Client ID and Secret in the Authorization: Basic ... HTTP header (i.e., using client_secret_basic).

  • Okta's Requirement (Confirmed): The identity provider is strictly configured to expect the credentials to be in the body of the POST request (i.e., using client_secret_post.

  • Because the method of authentication delivery does not match the provider's configuration, Okta rejects the request with the generic invalid_client error.

Feature Request: Request that the Semaphore application either:

  • Explicitly implement support for honoring the client_secret_post method.

  • Introduce a configuration option (e.g., via environment variable) that allows users to explicitly set the desired token_endpoint_auth_method to either basic or post.

Impact

Web-Frontend (what users interact with)

Installation method

Docker

Database

Postgres

Browser

Chrome

Semaphore Version

v2.16.29-d14fa6b-1757160953

Ansible Version



Logs & errors


No response


Manual installation - system information


No response


Configuration


No response


Additional information


No response
Metadata
Metadata
Assignees
Labels
backend
Type
Feature
Projects
No projects
Milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions