starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:42:58 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: state #325

New Issue
Closed
opened 2025-10-08 00:03:20 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2025-10-08 00:03:20 +03:00
Owner
Copy Link

Originally created by @PaddyPat on GitHub.

Reproduction steps

Dear Elias,

I was in discussion to enable mailu with openid - pocketid.

There is a team, who implement openid for mailu and as I read from other oidc tools, its well implemented but pocketid ignores a state parameter:


Ah, I think I found the problem. You are right, it seems to be a problem of PocketID. Our request to PocketID contains a state parameter for security reasons. But unfortunately, PocketID seems to ignore such parameters and pp redirects the user only with the code query parameter. Therefore, it might be a good idea to open an issue at PocketID because the state is part of the OpenID Connect standard.

Log infos also in this thread:
https://github.com/heviat/Mailu-OIDC/issues/50#issuecomment-2668746684

Maybe, you could take a look about this issue?
Thanks for your time and this great tool!

Br 👍

Expected behavior

Login should work

Actual Behavior

Ignores login

Version and Environment

.

Log Output

https://github.com/heviat/Mailu-OIDC/issues/50#issuecomment-2659358458

Originally created by @PaddyPat on GitHub. ### Reproduction steps Dear Elias, I was in discussion to enable mailu with openid - pocketid. There is a team, who implement openid for mailu and as I read from other oidc tools, its well implemented but pocketid ignores a *state* parameter: — Ah, I think I found the problem. You are right, it seems to be a problem of PocketID. Our request to PocketID contains a state parameter for security reasons. But unfortunately, PocketID seems to ignore such parameters and pp redirects the user only with the code query parameter. Therefore, it might be a good idea to open an issue at PocketID because the state is part of the OpenID Connect standard. Log infos also in this thread: https://github.com/heviat/Mailu-OIDC/issues/50#issuecomment-2668746684 — Maybe, you could take a look about this issue? Thanks for your time and this great tool! Br 👍 ### Expected behavior Login should work ### Actual Behavior Ignores login ### Version and Environment . ### Log Output https://github.com/heviat/Mailu-OIDC/issues/50#issuecomment-2659358458
OVERLORD added the bug label 2025-10-08 00:03:20 +03:00
OVERLORD commented 2025-10-08 00:03:23 +03:00
Author
Owner
Copy Link

@PaddyPat commented on GitHub:

###
pocketid            | [GIN] 2025/03/01 - 13:15:53 | 200 |    1.390596ms |             ::1 | GET      "/api/users/me"
pocketid            | [GIN] 2025/03/01 - 13:15:53 | 200 |    1.721614ms |             ::1 | GET      "/api/users/me"
pocketid            | [GIN] 2025/03/01 - 13:15:53 | 200 |    6.746687ms |             ::1 | GET      "/api/oidc/clients/34d91019-66ee-4e77-9334-a46b34dc816a"
pocketid            | [GIN] 2025/03/01 - 13:15:53 | 200 |    6.840656ms |             ::1 | GET      "/api/oidc/clients/34d91019-66ee-4e77-9334-a46b34dc816a"
pocketid            | [GIN] 2025/03/01 - 13:15:53 | 200 |     766.932µs |             ::1 | GET      "/api/application-configuration"
pocketid            | [GIN] 2025/03/01 - 13:15:53 | 200 |     810.265µs |             ::1 | GET      "/api/application-configuration"
pocketid            | [GIN] 2025/03/01 - 13:15:54 | 200 |     855.784µs |    11.55.22.11 | POST     "/api/oidc/authorization-required"
pocketid            | [GIN] 2025/03/01 - 13:15:54 | 200 |     917.513µs |    11.55.22.11 | POST     "/api/oidc/authorization-required"
pocketid            | [GIN] 2025/03/01 - 13:15:54 | 200 |   12.517519ms |    11.55.22.11 | POST     "/api/oidc/authorize"
pocketid            | [GIN] 2025/03/01 - 13:15:54 | 200 |   12.572151ms |    11.55.22.11 | POST     "/api/oidc/authorize"
pocketid            | [GIN] 2025/03/01 - 13:15:55 | 200 |  159.076577ms |   22.33.44.55 | POST     "/api/oidc/token"
pocketid            | [GIN] 2025/03/01 - 13:15:55 | 200 |  159.142503ms |   22.33.44.55 | POST     "/api/oidc/token"
pocketid            | 
pocketid            | 
pocketid            | 2025/03/01 13:15:55 [Recovery] 2025/03/01 - 13:15:55 panic recovered:
pocketid            | runtime error: index out of range [1] with length 1
pocketid            | /usr/local/go/src/runtime/panic.go:115 (0x4384d3)
pocketid            | /app/backend/internal/controller/oidc_controller.go:115 (0xd4b5e4)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd2c28a)
pocketid            | /app/backend/internal/middleware/jwt_auth.go:30 (0xd7200c)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd4498e)
pocketid            | /app/backend/internal/middleware/rate_limit.go:44 (0xd44954)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd2c28a)
pocketid            | /app/backend/internal/middleware/error_handler.go:24 (0xd721fb)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd2c28a)
pocketid            | /app/backend/internal/middleware/cors.go:31 (0xd721b2)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd391e4)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/logger.go:249 (0xd391cb)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd3a0ae)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/recovery.go:102 (0xd3a09b)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd391e4)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/logger.go:249 (0xd391cb)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd385d1)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/gin.go:633 (0xd38040)
pocketid            | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/gin.go:589 (0xd37b71)
pocketid            | /usr/local/go/src/net/http/server.go:3210 (0x77196d)
pocketid            | /usr/local/go/src/net/http/server.go:2092 (0x750f6f)
pocketid            | /usr/local/go/src/runtime/asm_amd64.s:1700 (0x479d80)
pocketid            | 
pocketid            | [GIN] 2025/03/01 - 13:15:55 | 500 |     551.606µs |   22.33.44.55 | POST     "/api/oidc/userinfo"
@PaddyPat commented on GitHub: ``` ### pocketid | [GIN] 2025/03/01 - 13:15:53 | 200 | 1.390596ms | ::1 | GET "/api/users/me" pocketid | [GIN] 2025/03/01 - 13:15:53 | 200 | 1.721614ms | ::1 | GET "/api/users/me" pocketid | [GIN] 2025/03/01 - 13:15:53 | 200 | 6.746687ms | ::1 | GET "/api/oidc/clients/34d91019-66ee-4e77-9334-a46b34dc816a" pocketid | [GIN] 2025/03/01 - 13:15:53 | 200 | 6.840656ms | ::1 | GET "/api/oidc/clients/34d91019-66ee-4e77-9334-a46b34dc816a" pocketid | [GIN] 2025/03/01 - 13:15:53 | 200 | 766.932µs | ::1 | GET "/api/application-configuration" pocketid | [GIN] 2025/03/01 - 13:15:53 | 200 | 810.265µs | ::1 | GET "/api/application-configuration" pocketid | [GIN] 2025/03/01 - 13:15:54 | 200 | 855.784µs | 11.55.22.11 | POST "/api/oidc/authorization-required" pocketid | [GIN] 2025/03/01 - 13:15:54 | 200 | 917.513µs | 11.55.22.11 | POST "/api/oidc/authorization-required" pocketid | [GIN] 2025/03/01 - 13:15:54 | 200 | 12.517519ms | 11.55.22.11 | POST "/api/oidc/authorize" pocketid | [GIN] 2025/03/01 - 13:15:54 | 200 | 12.572151ms | 11.55.22.11 | POST "/api/oidc/authorize" pocketid | [GIN] 2025/03/01 - 13:15:55 | 200 | 159.076577ms | 22.33.44.55 | POST "/api/oidc/token" pocketid | [GIN] 2025/03/01 - 13:15:55 | 200 | 159.142503ms | 22.33.44.55 | POST "/api/oidc/token" pocketid | pocketid | pocketid | 2025/03/01 13:15:55 [Recovery] 2025/03/01 - 13:15:55 panic recovered: pocketid | runtime error: index out of range [1] with length 1 pocketid | /usr/local/go/src/runtime/panic.go:115 (0x4384d3) pocketid | /app/backend/internal/controller/oidc_controller.go:115 (0xd4b5e4) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd2c28a) pocketid | /app/backend/internal/middleware/jwt_auth.go:30 (0xd7200c) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd4498e) pocketid | /app/backend/internal/middleware/rate_limit.go:44 (0xd44954) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd2c28a) pocketid | /app/backend/internal/middleware/error_handler.go:24 (0xd721fb) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd2c28a) pocketid | /app/backend/internal/middleware/cors.go:31 (0xd721b2) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd391e4) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/logger.go:249 (0xd391cb) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd3a0ae) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/recovery.go:102 (0xd3a09b) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd391e4) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/logger.go:249 (0xd391cb) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/context.go:185 (0xd385d1) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/gin.go:633 (0xd38040) pocketid | /go/pkg/mod/github.com/gin-gonic/gin@v1.10.0/gin.go:589 (0xd37b71) pocketid | /usr/local/go/src/net/http/server.go:3210 (0x77196d) pocketid | /usr/local/go/src/net/http/server.go:2092 (0x750f6f) pocketid | /usr/local/go/src/runtime/asm_amd64.s:1700 (0x479d80) pocketid | pocketid | [GIN] 2025/03/01 - 13:15:55 | 500 | 551.606µs | 22.33.44.55 | POST "/api/oidc/userinfo" ```
OVERLORD commented 2025-10-08 00:03:23 +03:00
Author
Owner
Copy Link

@PaddyPat commented on GitHub:

pocketid            | [GIN] 2025/03/01 - 18:13:10 | 200 |    5.322931ms |             ::1 | GET      "/api/users/me"
pocketid            | [GIN] 2025/03/01 - 18:13:10 | 200 |    5.424698ms |             ::1 | GET      "/api/users/me"
pocketid            | [GIN] 2025/03/01 - 18:13:10 | 200 |   11.564131ms |             ::1 | GET      "/api/oidc/clients/34d91019-66ee-4e77-9334-a46b34dc816a"
pocketid            | [GIN] 2025/03/01 - 18:13:10 | 200 |   11.635752ms |             ::1 | GET      "/api/oidc/clients/34d91019-66ee-4e77-9334-a46b34dc816a"
pocketid            | [GIN] 2025/03/01 - 18:13:10 | 200 |     1.00304ms |             ::1 | GET      "/api/application-configuration"
pocketid            | [GIN] 2025/03/01 - 18:13:10 | 200 |    1.156209ms |             ::1 | GET      "/api/application-configuration"
pocketid            | [GIN] 2025/03/01 - 18:13:11 | 200 |    1.802315ms |    11.22.33.44 | POST     "/api/oidc/authorization-required"
pocketid            | [GIN] 2025/03/01 - 18:13:11 | 200 |    2.756311ms |    11.22.33.44 | POST     "/api/oidc/authorization-required"
pocketid            | [GIN] 2025/03/01 - 18:13:11 | 200 |   27.848395ms |    11.22.33.44 | POST     "/api/oidc/authorize"
pocketid            | [GIN] 2025/03/01 - 18:13:11 | 200 |   27.920185ms |    11.22.33.44 | POST     "/api/oidc/authorize"
pocketid            | [GIN] 2025/03/01 - 18:13:12 | 200 |  177.808718ms |   44.55.66.77 | POST     "/api/oidc/token"
pocketid            | [GIN] 2025/03/01 - 18:13:12 | 200 |  177.869707ms |   44.55.66.77 | POST     "/api/oidc/token"
pocketid            | [GIN] 2025/03/01 - 18:13:13 | 401 |       79.01µs |   44.55.66.77 | POST     "/api/oidc/userinfo"
pocketid            | Error #01: Missing access token
pocketid            | [GIN] 2025/03/01 - 18:13:13 | 401 |     170.304µs |   44.55.66.77 | POST     "/api/oidc/userinfo"
pocketid            | Error #01: Missing access token
@PaddyPat commented on GitHub: ``` pocketid | [GIN] 2025/03/01 - 18:13:10 | 200 | 5.322931ms | ::1 | GET "/api/users/me" pocketid | [GIN] 2025/03/01 - 18:13:10 | 200 | 5.424698ms | ::1 | GET "/api/users/me" pocketid | [GIN] 2025/03/01 - 18:13:10 | 200 | 11.564131ms | ::1 | GET "/api/oidc/clients/34d91019-66ee-4e77-9334-a46b34dc816a" pocketid | [GIN] 2025/03/01 - 18:13:10 | 200 | 11.635752ms | ::1 | GET "/api/oidc/clients/34d91019-66ee-4e77-9334-a46b34dc816a" pocketid | [GIN] 2025/03/01 - 18:13:10 | 200 | 1.00304ms | ::1 | GET "/api/application-configuration" pocketid | [GIN] 2025/03/01 - 18:13:10 | 200 | 1.156209ms | ::1 | GET "/api/application-configuration" pocketid | [GIN] 2025/03/01 - 18:13:11 | 200 | 1.802315ms | 11.22.33.44 | POST "/api/oidc/authorization-required" pocketid | [GIN] 2025/03/01 - 18:13:11 | 200 | 2.756311ms | 11.22.33.44 | POST "/api/oidc/authorization-required" pocketid | [GIN] 2025/03/01 - 18:13:11 | 200 | 27.848395ms | 11.22.33.44 | POST "/api/oidc/authorize" pocketid | [GIN] 2025/03/01 - 18:13:11 | 200 | 27.920185ms | 11.22.33.44 | POST "/api/oidc/authorize" pocketid | [GIN] 2025/03/01 - 18:13:12 | 200 | 177.808718ms | 44.55.66.77 | POST "/api/oidc/token" pocketid | [GIN] 2025/03/01 - 18:13:12 | 200 | 177.869707ms | 44.55.66.77 | POST "/api/oidc/token" pocketid | [GIN] 2025/03/01 - 18:13:13 | 401 | 79.01µs | 44.55.66.77 | POST "/api/oidc/userinfo" pocketid | Error #01: Missing access token pocketid | [GIN] 2025/03/01 - 18:13:13 | 401 | 170.304µs | 44.55.66.77 | POST "/api/oidc/userinfo" pocketid | Error #01: Missing access token ```
OVERLORD commented 2025-10-08 00:03:25 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Could you try the ghcr.io/pocket-id/pocket-id:development image and let me know if this works now?

@stonith404 commented on GitHub: Could you try the `ghcr.io/pocket-id/pocket-id:development` image and let me know if this works now?
OVERLORD commented 2025-10-08 00:03:25 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Thanks. Yeah, that's a problem of Mailu. The access token must be sent in the authorization header as an bearer token.

Because of that I'm closing this issue.

@stonith404 commented on GitHub: Thanks. Yeah, that's a problem of Mailu. The access token [must be sent in the authorization header as an bearer token](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). Because of that I'm closing this issue.
OVERLORD commented 2025-10-08 00:03:26 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

It seems like Mailu doesn't send an access token. Can you try the latest ghcr.io/pocket-id/pocket-id:development image again and confirm that Pocket ID logs "Missing access token"?

@stonith404 commented on GitHub: It seems like Mailu doesn't send an access token. Can you try the latest `ghcr.io/pocket-id/pocket-id:development` image again and confirm that Pocket ID logs "Missing access token"?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#325
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?