diff --git a/README.md b/README.md
index 01530446460d0a93c8904adc86a5babfad329493..95b45b477b728bb686af2124f0400854077fd45b 100644
--- a/README.md
+++ b/README.md
@@ -120,7 +120,6 @@ GITLAB_OMNIBUS_CONFIG: |
                 'scope' => ['openid', 'profile', 'email'],
                 'response_type' => 'code',
                 'issuer' => 'http://${oidc-provider}:${oidc-provider-port:-5556}/dex',
-                'client_auth_method' => 'query',
                 'discovery' => false, # GitLab discovery expects HTTPS
                 'uid_field' => 'preferred_username',
                 'client_options' => {
@@ -137,6 +136,21 @@ GITLAB_OMNIBUS_CONFIG: |
     ]
 ```
 
+Note that for the [OpenID-Connect spec](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+`basic` is the default client auth method if no different mechanism is
+configured at the client registration time.
+
+Quoting the [GitLab documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html):
+>
+> - `client_auth_method` (optional) specifies the method used for authenticating
+>   the client with the OpenID Connect provider.
+>   - Supported values are:
+>     - `basic` - HTTP Basic Authentication.
+>     - `jwt_bearer` - JWT-based authentication (private key and client secret signing).
+>     - `mtls` - Mutual TLS or X.509 certificate validation.
+>     - Any other value posts the client ID and secret in the request body.
+>   - If not specified, this value defaults to `basic`.
+
 Remember to open `80` port and [create API token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token-programmatically) for later use by the AuthZ mediator.
 
 ### AuthZ mediator
diff --git a/docker-compose-gitlab.yaml b/docker-compose-gitlab.yaml
index d24d933690854aa34c597fd5db17ddcb08b323ea..0d837b56bb373dc868043c9be1441af347b08559 100644
--- a/docker-compose-gitlab.yaml
+++ b/docker-compose-gitlab.yaml
@@ -19,6 +19,8 @@ services:
               'scope' => ['openid', 'profile', 'email'],
               'response_type' => 'code',
               'issuer' => 'http://oidc-provider:5556/dex',
+              # opt-in to client_secret_post client auth for no particular reason
+              # https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
               'client_auth_method' => 'query',
               'discovery' => false, # GitLab discovery expects HTTPS
               'uid_field' => 'preferred_username',