diff --git a/backend/lib/express/jwt-decode.js b/backend/lib/express/jwt-decode.js
index 745763a7..193a3d0e 100644
--- a/backend/lib/express/jwt-decode.js
+++ b/backend/lib/express/jwt-decode.js
@@ -4,9 +4,14 @@ module.exports = () => {
 	return function (req, res, next) {
 		res.locals.access = null;
 		let access        = new Access(res.locals.token || null);
-		// allow unauthenticated access to OIDC configuration
-		let anon_access = req.url === '/oidc-config' && !access.token.getUserId();
-		access.load(anon_access)
+
+		// Allow unauthenticated access to get the oidc configuration
+		let oidc_access =
+			req.url === '/oidc-config' &&
+			req.method === 'GET' &&
+			!access.token.getUserId();
+
+		access.load(oidc_access)
 			.then(() => {
 				res.locals.access = access;
 				next();
diff --git a/backend/routes/oidc.js b/backend/routes/oidc.js
index 9c8030f9..751c04f5 100644
--- a/backend/routes/oidc.js
+++ b/backend/routes/oidc.js
@@ -1,11 +1,11 @@
 const crypto        = require('crypto');
-const error         = require('../../lib/error');
+const error         = require('../lib/error');
 const express       = require('express');
-const jwtdecode     = require('../../lib/express/jwt-decode');
-const logger        = require('../../logger').oidc;
+const jwtdecode     = require('../lib/express/jwt-decode');
+const logger        = require('../logger').oidc;
 const oidc          = require('openid-client');
-const settingModel  = require('../../models/setting');
-const internalToken = require('../../internal/token');
+const settingModel  = require('../models/setting');
+const internalToken = require('../internal/token');
 
 let router = express.Router({
 	caseSensitive: true,
diff --git a/backend/routes/settings.js b/backend/routes/settings.js
index d870974f..aa7d414e 100644
--- a/backend/routes/settings.js
+++ b/backend/routes/settings.js
@@ -72,13 +72,14 @@ router
 			})
 			.then((row) => {
 				if (row.id === 'oidc-config') {
-					// redact oidc configuration via api
+					// Redact oidc configuration via api (unauthenticated get call)
 					let m    = row.meta;
 					row.meta = {
 						name:    m.name,
 						enabled: m.enabled === true && !!(m.clientID && m.clientSecret && m.issuerURL && m.redirectURL && m.name)
 					};
-					// remove these temporary cookies used during oidc authentication
+
+					// Remove these temporary cookies used during oidc authentication
 					res.clearCookie('npm_oidc');
 					res.clearCookie('npm_oidc_error');
 				}
diff --git a/frontend/js/app/api.js b/frontend/js/app/api.js
index 207cb548..03e787d7 100644
--- a/frontend/js/app/api.js
+++ b/frontend/js/app/api.js
@@ -59,8 +59,11 @@ function fetch(verb, path, data, options) {
             },
 
             beforeSend: function (xhr) {
-                // allow unauthenticated access to OIDC configuration
-                if (path === 'settings/oidc-config') return;
+                // Allow unauthenticated access to get the oidc configuration
+                if (path === 'settings/oidc-config' && verb === "get") {
+                    return;
+                }
+
                 xhr.setRequestHeader('Authorization', 'Bearer ' + (token ? token.t : null));
             },