Account management login with OIDC results in "Code exchange failed." due to incorrect client_secret #1955

Closed
opened 2026-07-11 10:51:42 +00:00 by jinnatar · 2 comments
  • Continuwuity: forgejo.ellis.link/continuwuation/continuwuity:v26.6.0
  • OIDC provider: Kanidm 1.10.4, configured mostly as per setup guide.

OIDC config:

CONTINUWUITY_OAUTH__COMPATIBILITY_MODE       = "exclusive"
CONTINUWUITY_OAUTH__OIDC__DISCOVERY_URL      = "https://idm.example.com/oauth2/openid/c10y"
CONTINUWUITY_OAUTH__OIDC__CLIENT_ID          = "c10y"
CONTINUWUITY_OAUTH__OIDC__CLIENT_SECRET_FILE = "/secrets/oidc"

What I tried

  • Login to manage account at https://uwu.example.com/_continuwuity/account/login?next=account
  • Passing to IDM & back works, but the end result is an error on the web: Code exchange failed.

Logs

2026-07-11T10:15:38.544809Z ERROR conduwuit_service::oidc: Failed to exchange OIDC authorization code: Other error: server returned empty error response
at src/service/oidc/mod.rs:267 on conduwuit:worker ThreadId(22)
in tower_sessions::service::call

On the IDM side:

[info]: Invalid OAuth2 client_id secret

More details

If I instead pass in the client_secret directly via CONTINUWUITY_OAUTH__OIDC__CLIENT_SECRET this succeeds. I did play around with rendering the secret file from Vault in various ways but it always ends up the same with an endline at the end, as viewed with cat -A:

xyz123supersecrettoken$

vs. if I'd create it manually with echo -n then it's:

xyz123supersecrettoken%

.. So my best guess is perhaps the endline gets grabbed as part of the client_secret instead of being stripped? .. I could probably find a way to render the file without it, but I imagine many folks will run into this and be very confused.

- Continuwuity: `forgejo.ellis.link/continuwuation/continuwuity:v26.6.0` - OIDC provider: Kanidm 1.10.4, configured mostly as per setup guide. OIDC config: ```shell CONTINUWUITY_OAUTH__COMPATIBILITY_MODE = "exclusive" CONTINUWUITY_OAUTH__OIDC__DISCOVERY_URL = "https://idm.example.com/oauth2/openid/c10y" CONTINUWUITY_OAUTH__OIDC__CLIENT_ID = "c10y" CONTINUWUITY_OAUTH__OIDC__CLIENT_SECRET_FILE = "/secrets/oidc" ``` ### What I tried - Login to manage account at `https://uwu.example.com/_continuwuity/account/login?next=account` - Passing to IDM & back works, but the end result is an error on the web: `Code exchange failed.` ### Logs > 2026-07-11T10:15:38.544809Z ERROR conduwuit_service::oidc: Failed to exchange OIDC authorization code: Other error: server returned empty error response at src/service/oidc/mod.rs:267 on conduwuit:worker ThreadId(22) in tower_sessions::service::call On the IDM side: > [info]: Invalid OAuth2 client_id secret ### More details If I instead pass in the client_secret directly via `CONTINUWUITY_OAUTH__OIDC__CLIENT_SECRET` this succeeds. I did play around with rendering the secret file from Vault in various ways but it always ends up the same with an endline at the end, as viewed with `cat -A`: > xyz123supersecrettoken$ vs. if I'd create it manually with `echo -n` then it's: > xyz123supersecrettoken% .. So my best guess is perhaps the endline gets grabbed as part of the client_secret instead of being stripped? .. I could probably find a way to render the file without it, but I imagine many folks will run into this and be very confused.
Owner

Seems like the issue here is specifically that Continuwuity doesn't strip trailing newlines from the client secret file.

Seems like the issue here is specifically that Continuwuity doesn't strip trailing newlines from the client secret file.
ginger added this to the 26.6.1 milestone 2026-07-11 13:28:50 +00:00
Author

Can confirm fixed. Thanks, you're awesome!

Can confirm fixed. Thanks, you're awesome!
Sign in to join this conversation.
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
continuwuation/continuwuity#1955
No description provided.