diff --git a/connector/oidc/oidc_test.go b/connector/oidc/oidc_test.go
index 10550dfe79..4b09e75bc0 100644
--- a/connector/oidc/oidc_test.go
+++ b/connector/oidc/oidc_test.go
@@ -461,6 +461,142 @@ func TestHandleCallback(t *testing.T) {
 	}
 }
 
+func TestHandleClientCredentialsCallback(t *testing.T) {
+	t.Helper()
+
+	tests := []struct {
+		name                      string
+		clientID                  string
+		clientSecret              string
+		userIDKey                 string
+		userNameKey               string
+		overrideClaimMapping      bool
+		preferredUsernameKey      string
+		emailKey                  string
+		groupsKey                 string
+		insecureSkipEmailVerified bool
+		scopes                    []string
+		expectUserID              string
+		expectUserName            string
+		expectGroups              []string
+		expectPreferredUsername   string
+		expectedEmailField        string
+		token                     map[string]interface{}
+		newGroupFromClaims        []NewGroupFromClaims
+		expectedHandlerError      error
+	}{
+		{
+			name:               "withCorrectCredentials",
+			userIDKey:          "", // not configured
+			userNameKey:        "", // not configured
+			expectUserID:       "subvalue",
+			expectUserName:     "namevalue",
+			expectGroups:       nil,
+			expectedEmailField: "emailvalue",
+			scopes:             []string{"openid", "id-clientidvalue", "secret-clientsecretvalue"},
+			token: map[string]interface{}{
+				"sub":            "subvalue",
+				"name":           "namevalue",
+				"email":          "emailvalue",
+				"email_verified": false,
+			},
+			expectedHandlerError: nil,
+		},
+		{
+			name:                 "withoutCredentials",
+			userIDKey:            "", // not configured
+			userNameKey:          "", // not configured
+			expectUserID:         "",
+			expectUserName:       "",
+			expectGroups:         nil,
+			expectedEmailField:   "",
+			scopes:               []string{"openid"},
+			token:                nil,
+			expectedHandlerError: fmt.Errorf("oidc: unable to parse clientID or clientSecret"),
+		},
+		{
+			name:                 "missingSingleCredentialPrefix",
+			userIDKey:            "", // not configured
+			userNameKey:          "", // not configured
+			expectUserID:         "",
+			expectUserName:       "",
+			expectGroups:         nil,
+			expectedEmailField:   "",
+			scopes:               []string{"openid", "id-clientidvalue", "clientsecretvalue"},
+			token:                nil,
+			expectedHandlerError: fmt.Errorf("oidc: unable to parse clientID or clientSecret"),
+		},
+		{
+			name:                 "missingBothCredentialPrefixes",
+			userIDKey:            "", // not configured
+			userNameKey:          "", // not configured
+			expectUserID:         "",
+			expectUserName:       "",
+			expectGroups:         nil,
+			expectedEmailField:   "",
+			scopes:               []string{"openid", "clientidvalue", "clientsecretvalue"},
+			token:                nil,
+			expectedHandlerError: fmt.Errorf("oidc: unable to parse clientID or clientSecret"),
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			idTokenDesired := true
+			testServer, err := setupServer(tc.token, idTokenDesired)
+			if err != nil {
+				t.Fatal("failed to setup test server", err)
+			}
+			defer testServer.Close()
+
+			serverURL := testServer.URL
+			basicAuth := true
+			config := Config{
+				Issuer:                    serverURL,
+				ClientID:                  tc.clientID,
+				ClientSecret:              tc.clientSecret,
+				Scopes:                    tc.scopes,
+				RedirectURI:               fmt.Sprintf("%s/callback", serverURL),
+				UserIDKey:                 tc.userIDKey,
+				UserNameKey:               tc.userNameKey,
+				InsecureSkipEmailVerified: tc.insecureSkipEmailVerified,
+				InsecureEnableGroups:      true,
+				BasicAuthUnsupported:      &basicAuth,
+				OverrideClaimMapping:      tc.overrideClaimMapping,
+			}
+			config.ClaimMapping.PreferredUsernameKey = tc.preferredUsernameKey
+			config.ClaimMapping.EmailKey = tc.emailKey
+			config.ClaimMapping.GroupsKey = tc.groupsKey
+			config.ClaimMutations.NewGroupFromClaims = tc.newGroupFromClaims
+
+			conn, err := newConnector(config)
+			if err != nil {
+				t.Fatal("failed to create new connector", err)
+			}
+			req, err := newRequestWithoutAuthCode(testServer.URL)
+			if err != nil {
+				t.Fatal("failed to create request", err)
+			}
+
+			// mimic the functionality of server/oauth2 parseScopes
+			s := connector.Scopes{}
+			s.Other = append(s.Other, tc.scopes...)
+
+			identity, err := conn.HandleCallback(s, req)
+			expectEquals(t, err, tc.expectedHandlerError)
+			if err != nil {
+				return
+			}
+			expectEquals(t, identity.UserID, tc.expectUserID)
+			expectEquals(t, identity.Username, tc.expectUserName)
+			expectEquals(t, identity.PreferredUsername, tc.expectPreferredUsername)
+			expectEquals(t, identity.Email, tc.expectedEmailField)
+			expectEquals(t, identity.EmailVerified, false)
+			expectEquals(t, identity.Groups, tc.expectGroups)
+		})
+	}
+}
+
 func TestRefresh(t *testing.T) {
 	t.Helper()
 
@@ -828,6 +964,15 @@ func newRequestWithAuthCode(serverURL string, code string) (*http.Request, error
 	return req, nil
 }
 
+func newRequestWithoutAuthCode(serverURL string) (*http.Request, error) {
+	req, err := http.NewRequest("GET", serverURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %v", err)
+	}
+
+	return req, nil
+}
+
 func n(pub *rsa.PublicKey) string {
 	return encode(pub.N.Bytes())
 }