starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:53:00 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: v0.42: FreshRSS / auth_openidc error: JWT signature verification failed #289

New Issue
Closed
opened 2025-10-08 00:01:46 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2025-10-08 00:01:46 +03:00
Owner
Copy Link

Originally created by @abno85 on GitHub.

Reproduction steps

After updating Pocket-ID to v0.42 the OIDC client for FreshRSS throws an error after logging in via Pocket-ID.
It was/is working fine with Pocket-ID up to v0.41.

I reverted to v0.41 for now and the login is working fine again 👍

Expected behavior

The login should work like before :)

Actual Behavior

FreshRSS throws this error upon loading:

Error:

OpenID Connect Provider error: Error in handling response type.

Version and Environment

Pocket-ID v0.42

FreshRSS compose.yaml:

services:
  freshrss:
    image: freshrss/freshrss:latest
    container_name: freshrss
    restart: unless-stopped
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - TRUSTED_PROXY=10.81.80.80/32
      - CRON_MIN=1,31
      - OIDC_ENABLED=1
      - OIDC_CLIENT_ID=1111aaaa-2222-bbbb-3333-cccc4444dddd
      - OIDC_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxx
      - OIDC_PROVIDER_METADATA_URL=https://id.mydomain.net/.well-known/openid-configuration
      - OIDC_SCOPES=openid email profile
      - OIDC_X_FORWARDED_HEADERS=X-Forwarded-Proto X-Forwarded-Host
      - OIDC_REMOTE_USER_CLAIM=preferred_username
      - OIDC_CLIENT_CRYPTO_KEY=xxxxxxxxxxxxxxxxx
    volumes:
      ...

Log Output

Logs from the FreshRSS container:

freshrss  | 10.8.16.10 - - [18/Mar/2025:22:41:02 +0100] "GET /i/ HTTP/1.1" 302 470 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0"
freshrss  | [Tue Mar 18 22:41:04.266760 2025] [auth_openidc:error] [pid 48:tid 48] [client 10.8.16.10:0] oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:994: oidc_jwt_verify]: could not find key with kid: , referer: https://id.mydomain.net/
freshrss  | [Tue Mar 18 22:41:04.266780 2025] [auth_openidc:error] [pid 48:tid 48] [client 10.8.16.10:0] oidc_proto_parse_idtoken: id_token signature could not be validated, aborting, referer: https://id.mydomain.net/
freshrss  | 10.8.16.10 - "" [18/Mar/2025:22:41:04 +0100] "GET /i/oidc/?code=ZtsIHz[...................redacted.......................]iFwpY7iA HTTP/1.1" 200 335 "https://id.mydomain.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0"

Logs from Pocket-ID:

pocket-id  | [GIN] 2025/03/18 - 21:44:16 | 200 |     813.345µs |             ::1 | GET      "/api/oidc/clients/1111aaaa-2222-bbbb-3333-cccc4444dddd/meta"
pocket-id  | [GIN] 2025/03/18 - 21:44:16 | 200 |    1.303376ms |             ::1 | GET      "/api/users/me"
pocket-id  | [GIN] 2025/03/18 - 21:44:16 | 200 |     361.612µs |             ::1 | GET      "/api/application-configuration"
pocket-id  | [GIN] 2025/03/18 - 21:44:16 | 200 |     940.413µs |      10.8.16.10 | POST     "/api/oidc/authorization-required"
pocket-id  | [GIN] 2025/03/18 - 21:44:16 | 200 |   16.805512ms |      10.8.16.10 | POST     "/api/oidc/authorize"
pocket-id  | [GIN] 2025/03/18 - 21:44:17 | 200 |   78.619941ms |      10.81.80.1 | POST     "/api/oidc/token"
pocket-id  | [GIN] 2025/03/18 - 21:44:17 | 200 |      14.649µs |      10.81.80.1 | GET      "/.well-known/jwks.json"
Originally created by @abno85 on GitHub. ### Reproduction steps After updating Pocket-ID to v0.42 the OIDC client for FreshRSS throws an error after logging in via Pocket-ID. It was/is working fine with Pocket-ID up to v0.41. I reverted to v0.41 for now and the login is working fine again 👍 ### Expected behavior The login should work like before :) ### Actual Behavior FreshRSS throws this error upon loading: ``` Error: OpenID Connect Provider error: Error in handling response type. ``` ### Version and Environment Pocket-ID v0.42 FreshRSS compose.yaml: ```yaml services: freshrss: image: freshrss/freshrss:latest container_name: freshrss restart: unless-stopped environment: - PUID=1000 - PGID=1000 - TZ=Europe/Berlin - TRUSTED_PROXY=10.81.80.80/32 - CRON_MIN=1,31 - OIDC_ENABLED=1 - OIDC_CLIENT_ID=1111aaaa-2222-bbbb-3333-cccc4444dddd - OIDC_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxx - OIDC_PROVIDER_METADATA_URL=https://id.mydomain.net/.well-known/openid-configuration - OIDC_SCOPES=openid email profile - OIDC_X_FORWARDED_HEADERS=X-Forwarded-Proto X-Forwarded-Host - OIDC_REMOTE_USER_CLAIM=preferred_username - OIDC_CLIENT_CRYPTO_KEY=xxxxxxxxxxxxxxxxx volumes: ... ``` ### Log Output Logs from the FreshRSS container: ``` freshrss | 10.8.16.10 - - [18/Mar/2025:22:41:02 +0100] "GET /i/ HTTP/1.1" 302 470 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0" freshrss | [Tue Mar 18 22:41:04.266760 2025] [auth_openidc:error] [pid 48:tid 48] [client 10.8.16.10:0] oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:994: oidc_jwt_verify]: could not find key with kid: , referer: https://id.mydomain.net/ freshrss | [Tue Mar 18 22:41:04.266780 2025] [auth_openidc:error] [pid 48:tid 48] [client 10.8.16.10:0] oidc_proto_parse_idtoken: id_token signature could not be validated, aborting, referer: https://id.mydomain.net/ freshrss | 10.8.16.10 - "" [18/Mar/2025:22:41:04 +0100] "GET /i/oidc/?code=ZtsIHz[...................redacted.......................]iFwpY7iA HTTP/1.1" 200 335 "https://id.mydomain.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0" ``` Logs from Pocket-ID: ``` pocket-id | [GIN] 2025/03/18 - 21:44:16 | 200 | 813.345µs | ::1 | GET "/api/oidc/clients/1111aaaa-2222-bbbb-3333-cccc4444dddd/meta" pocket-id | [GIN] 2025/03/18 - 21:44:16 | 200 | 1.303376ms | ::1 | GET "/api/users/me" pocket-id | [GIN] 2025/03/18 - 21:44:16 | 200 | 361.612µs | ::1 | GET "/api/application-configuration" pocket-id | [GIN] 2025/03/18 - 21:44:16 | 200 | 940.413µs | 10.8.16.10 | POST "/api/oidc/authorization-required" pocket-id | [GIN] 2025/03/18 - 21:44:16 | 200 | 16.805512ms | 10.8.16.10 | POST "/api/oidc/authorize" pocket-id | [GIN] 2025/03/18 - 21:44:17 | 200 | 78.619941ms | 10.81.80.1 | POST "/api/oidc/token" pocket-id | [GIN] 2025/03/18 - 21:44:17 | 200 | 14.649µs | 10.81.80.1 | GET "/.well-known/jwks.json" ```
OVERLORD added the bug label 2025-10-08 00:01:46 +03:00
OVERLORD commented 2025-10-08 00:01:48 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Thanks for reporting. This should be fixed in v0.42.1. The Docker image will be available in a few minutes.

Feel free to comment on this again if the new release doesn't fix the issue.

@stonith404 commented on GitHub: Thanks for reporting. This should be fixed in `v0.42.1`. The Docker image will be available in a few minutes. Feel free to comment on this again if the new release doesn't fix the issue.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#289
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?