Infos:
- Used Zammad version: 7.0.1
- Used Zammad installation type: docker-compose
- Operating system: Ubuntu 24.04 LTS host system + Docker
- Browser + version: Safari 26.4, Firefox 149.0.2
Expected behavior:
- Login via third party OpenID Connect Authentication to Zammad
Actual behavior:
At our university, we have a Shibboleth IDP with an activated OpenID Connect Provider module on top, see de:shibidp:config-extensions-oidc [Dokumentation DFN-AAI, DFN-PKI und eduroam].
Using the OpenID Connect Provider to authenticate against other services, like BBB, works fine. Here we use a client secret that is configured in the BBB instance.
Zammad, on the other hand, seems to be a public client, so no client secret can be specified. Currently, we do not have the ability to authenticate against our OpenID Connect IDP.
Our employee responsible for our IDP told me that Zammad uses the wrong token endpoint authentication method. He indicated that Zammad sends token_endpoint_auth_method = client_secret_basic instead of token_endpoint_auth_method = none.
Is there a way to configure this within Zammad?
Or is there another university which has a working example?
Steps to reproduce the behavior:
- Enable third-party registration via OpenID Connect in the Zammad UI.
- Set the identifier and the URL of the IDP.
- Set the UID field to
sub, scopes toopenid email profileand PKCE toyes. - Try to authenticate.
Thanks.