[BUG] dex idp: missing client_id in post params when requesting acces token

[aya]

I'm unable to login to opencloud server 6.1 with IOS app version 1.2.1.
Login fails with error: "Authorization failed. (error 3, openid-connect: invalid_client)"
OC is configured to use dex IDP with following clients:

staticClients:
- id: OpenCloudWeb
  name: OpenCloudWeb
  public: true
  redirectURIs:
  - https://cloud.xxxxx.org/
  - https://cloud.xxxxx.org/oidc-callback.html
  - https://cloud.xxxxx.org/oidc-silent-redirect.html

- id: OpenCloudDesktop
  name: OpenCloudDesktop
  public: true

- id: OpenCloudAndroid
  name: OpenCloudAndroid
  public: true
  redirectURIs:
  - 'oc://android.opencloud.eu'

- id: OpenCloudIOS
  name: OpenCloudIOS
  public: true
  redirectURIs:
  - 'oc://ios.opencloud.eu'

OC authentification works well with web and desktop clients. (without role mapping for now, waiting for the new awesome WEBFINGER feature support in desktop app :))

On iOS, the OIDC flow fails on the last step when requesting the access token with a 'POST /token'.
I can reproduce the error replaying the POST with curl.

$ curl -D- -X POST -d "code=xxxx&code_verifier=xxxxxxxx&redirect_uri=oc://ios.opencloud.eu&grant_type=authorization_code" http://localhost:5556/token
HTTP/1.1 401 Unauthorized
Content-Length: 76
Content-Type: application/json
Date: Sat, 09 May 2026 01:34:47 GMT

{"error":"invalid_client","error_description":"Invalid client credentials."}

Adding &client_id=OpenCloudIOS to the request solves the pb.

$ curl -D- -X POST -d "code=xxxx&code_verifier=xxxxxxxx&redirect_uri=oc://ios.opencloud.eu&grant_type=authorization_code&client_id=OpenCloudIOS" http://localhost:5556/token
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 2457
Content-Type: application/json
Pragma: no-cache
Date: Sat, 09 May 2026 01:36:24 GMT

{"access_token":"xxxx.xxxxxxxx.xxxxxxxxx","token_type":"bearer","expires_in":86399,"id_token":"xxxx.xxxxxxxx"}

[guruz]

Interesting.
Side note: Did you by any chance also test Android? :)

[guruz]

Can you paste what webfinger replies with &platform=ios ?

[aya]

https://cloud.laplank.org/.well-known/webfinger?resource=https://cloud.laplank.org/&platform=ios

{
"subject": "https://cloud.laplank.org/",
"properties": {
"http://opencloud.eu/ns/oidc/client_id": "OpenCloudIOS",
"http://opencloud.eu/ns/oidc/scopes": [
"openid email profile groups federated:id"
]
},
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://id.open.us.org/"
}
]
}

I already had the same pb with older version of the app. I'll ask someone to test with android :)

EDIT: on android I see the client_id in the post request and dex returns a 200, but it seems to fail with an 'invalid refresh token' error. I'll open another issue in the android repo when it is confirmed.

[guruz]

"code=xxxx&code_verifier=xxxxxxxx&redirect_uri=oc://ios.opencloud.eu&grant_type=authorization_code"

Is that the exact URL format you saw in the logs?

FYI, when trying to connect to your server from my app I can see this it trying to open
https://id.open.us.org/auth?prompt=select_account%20consent&response_type=code&code_challenge_method=S256&code_challenge=sGtSJJ8nPQcNgLoxG6ofTLHCBKrDUdK0CVIOh8FZ-zk&scope=openid%20email%20profile%20groups%20federated:id&redirect_uri=oc://ios.opencloud.eu&client_id=OpenCloudIOS&state=B7C5A1B5-9CB0-463C-B679-E0145C04E0EC

So it both has OpenCloudIOS and the extra scopes ^
So the webfinger part works.
:)

EDIT: on android I see the client_id in the post request and dex returns a 200, but it seems to fail with an 'invalid refresh token' error. I'll open another issue in the android repo when it is confirmed.

It was out in the wild for Android for some time now without people reporting new bugs, so my gut would tell me the mistake is related to dex or OpenCloud (configuration), hmmm.

[aya]

Is that the exact URL format you saw in the logs?

Yes I just replaced the code and code_verifier values with xxxx.

So the webfinger part works.

Yes, webfinger is a great enhancement to allow custom scopes, thanks a lot for that feature ;)

So it both has OpenCloudIOS and the extra scopes

Yes, on the 'GET /auth' request the client_id is present, but once you are authenticated, the next query to request the token with a 'POST /token' is missing client_id in the post data.

I can share the logs if needed and/or create a test account.

[guruz]

I think test account is easiest to see :) You can write to my first name (see profile) at woboq dot com.

[aya]

sent :)

[guruz]

Just tested, iOS behaves as you said.

Then I tested Android which goes further but then says "Invalid refresh token". I'll dig deeper and let you know, don't change the config for now ideally..

[guruz]

(Android)

"Invalid refresh token".

offline_access is missing in scopes? Can you add it?

[guruz]

(iOS)

I managed to login now with a small code fix here in ios-sdk repo. I will give more info for testing later..

[aya]

offline_access is missing in scopes? Can you add it?

I added it.