starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:53:00 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Lubelogger - LogoutURL re-directs to Pocket-ID Admin panel authentication page #345

New Issue
Closed
opened 2025-10-08 00:04:23 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2025-10-08 00:04:23 +03:00
Owner
Copy Link

Originally created by @truncsphere on GitHub.

Reproduction steps

I configured Lubelogger to use the logout URL of OpenIDConfig__LogOutURL=https://example.com/api/oidc/end-session . When I go to logout of lubelogger, pocket-id asks for confirmation of signing out. Upon signing out I'm taken to the pocket-id authentication screen for the admin panel.

Expected behavior

I'm expecting it to take me back to the Lubelogger authentication page. Lubelogger does not have a Logout Callback URL that I could find.

Actual Behavior

Instead of re-authenticating for Lubelogger, pocket-id asks to authenticate to the admin panel.
I do see an error in the log, but not sure how to proceed.

Version and Environment

Docker
v0.33.0

Log Output

[GIN] 2025/02/15 - 15:52:24 | 200 | 288.87µs | ::1 | GET "/api/oidc/clients/84b5faab-b70b-4674-9d0a-27a46d3afe51"
[GIN] 2025/02/15 - 15:52:24 | 200 | 301.594µs | ::1 | GET "/api/oidc/clients/84b5faab-b70b-4674-9d0a-27a46d3afe51"
[GIN] 2025/02/15 - 15:52:24 | 200 | 98.905µs | ::1 | GET "/api/application-configuration"
[GIN] 2025/02/15 - 15:52:24 | 200 | 108.112µs | ::1 | GET "/api/application-configuration"
[GIN] 2025/02/15 - 15:52:27 | 200 | 2.088015ms | 192.168.41.1 | GET "/api/webauthn/login/start"
[GIN] 2025/02/15 - 15:52:27 | 200 | 2.104486ms | 192.168.41.1 | GET "/api/webauthn/login/start"
[GIN] 2025/02/15 - 15:52:29 | 200 | 3.790258ms | 192.168.41.1 | POST "/api/webauthn/login/finish"
[GIN] 2025/02/15 - 15:52:29 | 200 | 3.811498ms | 192.168.41.1 | POST "/api/webauthn/login/finish"
[GIN] 2025/02/15 - 15:52:29 | 200 | 294.681µs | 192.168.41.1 | POST "/api/oidc/authorization-required"
[GIN] 2025/02/15 - 15:52:29 | 200 | 313.016µs | 192.168.41.1 | POST "/api/oidc/authorization-required"
[GIN] 2025/02/15 - 15:52:29 | 200 | 3.001925ms | 192.168.41.1 | POST "/api/oidc/authorize"
[GIN] 2025/02/15 - 15:52:29 | 200 | 3.016171ms | 192.168.41.1 | POST "/api/oidc/authorize"
[GIN] 2025/02/15 - 15:52:30 | 200 | 50.949011ms | 192.168.41.1 | POST "/api/oidc/token"
[GIN] 2025/02/15 - 15:52:30 | 200 | 50.967636ms | 192.168.41.1 | POST "/api/oidc/token"
2025/02/15 15:52:33 Error getting logout callback URL, the user has to confirm the logout manually: Token is invalid
[GIN] 2025/02/15 - 15:52:33 | 302 | 148.477µs | 192.168.41.1 | GET "/api/oidc/end-session"
[GIN] 2025/02/15 - 15:52:33 | 302 | 160.841µs | 192.168.41.1 | GET "/api/oidc/end-session"
[GIN] 2025/02/15 - 15:52:33 | 200 | 361.476µs | ::1 | GET "/api/users/me"
[GIN] 2025/02/15 - 15:52:33 | 200 | 375.493µs | ::1 | GET "/api/users/me"
[GIN] 2025/02/15 - 15:52:33 | 200 | 131.005µs | ::1 | GET "/api/application-configuration"
[GIN] 2025/02/15 - 15:52:33 | 200 | 142.285µs | ::1 | GET "/api/application-configuration"
[GIN] 2025/02/15 - 15:52:36 | 204 | 138.419µs | 192.168.41.1 | POST "/api/webauthn/logout"
[GIN] 2025/02/15 - 15:52:36 | 204 | 155.38µs | 192.168.41.1 | POST "/api/webauthn/logout"

Originally created by @truncsphere on GitHub. ### Reproduction steps I configured Lubelogger to use the logout URL of `OpenIDConfig__LogOutURL=https://example.com/api/oidc/end-session` . When I go to logout of lubelogger, pocket-id asks for confirmation of signing out. Upon signing out I'm taken to the pocket-id authentication screen for the admin panel. ### Expected behavior I'm expecting it to take me back to the Lubelogger authentication page. Lubelogger does not have a Logout Callback URL that I could find. ### Actual Behavior Instead of re-authenticating for Lubelogger, pocket-id asks to authenticate to the admin panel. I do see an error in the log, but not sure how to proceed. ### Version and Environment Docker v0.33.0 ### Log Output > [GIN] 2025/02/15 - 15:52:24 | 200 | 288.87µs | ::1 | GET "/api/oidc/clients/84b5faab-b70b-4674-9d0a-27a46d3afe51" [GIN] 2025/02/15 - 15:52:24 | 200 | 301.594µs | ::1 | GET "/api/oidc/clients/84b5faab-b70b-4674-9d0a-27a46d3afe51" [GIN] 2025/02/15 - 15:52:24 | 200 | 98.905µs | ::1 | GET "/api/application-configuration" [GIN] 2025/02/15 - 15:52:24 | 200 | 108.112µs | ::1 | GET "/api/application-configuration" [GIN] 2025/02/15 - 15:52:27 | 200 | 2.088015ms | 192.168.41.1 | GET "/api/webauthn/login/start" [GIN] 2025/02/15 - 15:52:27 | 200 | 2.104486ms | 192.168.41.1 | GET "/api/webauthn/login/start" [GIN] 2025/02/15 - 15:52:29 | 200 | 3.790258ms | 192.168.41.1 | POST "/api/webauthn/login/finish" [GIN] 2025/02/15 - 15:52:29 | 200 | 3.811498ms | 192.168.41.1 | POST "/api/webauthn/login/finish" [GIN] 2025/02/15 - 15:52:29 | 200 | 294.681µs | 192.168.41.1 | POST "/api/oidc/authorization-required" [GIN] 2025/02/15 - 15:52:29 | 200 | 313.016µs | 192.168.41.1 | POST "/api/oidc/authorization-required" [GIN] 2025/02/15 - 15:52:29 | 200 | 3.001925ms | 192.168.41.1 | POST "/api/oidc/authorize" [GIN] 2025/02/15 - 15:52:29 | 200 | 3.016171ms | 192.168.41.1 | POST "/api/oidc/authorize" [GIN] 2025/02/15 - 15:52:30 | 200 | 50.949011ms | 192.168.41.1 | POST "/api/oidc/token" [GIN] 2025/02/15 - 15:52:30 | 200 | 50.967636ms | 192.168.41.1 | POST "/api/oidc/token" 2025/02/15 15:52:33 Error getting logout callback URL, the user has to confirm the logout manually: Token is invalid [GIN] 2025/02/15 - 15:52:33 | 302 | 148.477µs | 192.168.41.1 | GET "/api/oidc/end-session" [GIN] 2025/02/15 - 15:52:33 | 302 | 160.841µs | 192.168.41.1 | GET "/api/oidc/end-session" [GIN] 2025/02/15 - 15:52:33 | 200 | 361.476µs | ::1 | GET "/api/users/me" [GIN] 2025/02/15 - 15:52:33 | 200 | 375.493µs | ::1 | GET "/api/users/me" [GIN] 2025/02/15 - 15:52:33 | 200 | 131.005µs | ::1 | GET "/api/application-configuration" [GIN] 2025/02/15 - 15:52:33 | 200 | 142.285µs | ::1 | GET "/api/application-configuration" [GIN] 2025/02/15 - 15:52:36 | 204 | 138.419µs | 192.168.41.1 | POST "/api/webauthn/logout" [GIN] 2025/02/15 - 15:52:36 | 204 | 155.38µs | 192.168.41.1 | POST "/api/webauthn/logout"
OVERLORD added the bug label 2025-10-08 00:04:23 +03:00
OVERLORD commented 2025-10-08 00:04:25 +03:00
Author
Owner
Copy Link

@sevensolutions commented on GitHub:

Looks like i have the same problem while investigating https://github.com/sevensolutions/traefik-oidc-auth/issues/91.
My end-session request contains a post_logout_redirect_uri as well as id_token_hint and some state but the response from end-session is always a redirect to http://localhost:3000/logout which then returns another redirect to http://localhost:3000/login again, completely loosing context.

This is the full end-session url:

http://localhost:3000/api/oidc/end-session?client_id=61be4f8e-ed84-413f-9198-10c455f1fdfc&id_token_hint=eyJhbGciO....0bDw8VlIw&post_logout_redirect_uri=https%3A%2F%2Fauth.127.0.0.1.sslip.io%2Foidc%2Fcallback&state=eyJhY3Rpb24iOiJMb2dvdXQiLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3RyYWVmaWsuMTI3LjAuMC4xLnNzbGlwLmlvLyJ9

@sevensolutions commented on GitHub: Looks like i have the same problem while investigating https://github.com/sevensolutions/traefik-oidc-auth/issues/91. My end-session request contains a `post_logout_redirect_uri ` as well as `id_token_hint` and some `state` but the response from end-session is always a redirect to `http://localhost:3000/logout` which then returns another redirect to `http://localhost:3000/login` again, completely loosing context. This is the full end-session url: `http://localhost:3000/api/oidc/end-session?client_id=61be4f8e-ed84-413f-9198-10c455f1fdfc&id_token_hint=eyJhbGciO....0bDw8VlIw&post_logout_redirect_uri=https%3A%2F%2Fauth.127.0.0.1.sslip.io%2Foidc%2Fcallback&state=eyJhY3Rpb24iOiJMb2dvdXQiLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3RyYWVmaWsuMTI3LjAuMC4xLnNzbGlwLmlvLyJ9`
OVERLORD commented 2025-10-08 00:04:25 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@sevensolutions Did you add the post logout URL in Pocket ID in the client settings?

@stonith404 commented on GitHub: @sevensolutions Did you add the post logout URL in Pocket ID in the client settings?
OVERLORD commented 2025-10-08 00:04:26 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

when you added the end session endpoint, did you completely recreate the container? I don't use lube logger but in the past with other containers, need to be fully recreated. See this issue as well: https://github.com/pocket-id/pocket-id/issues/237

@kmendell commented on GitHub: when you added the end session endpoint, did you completely recreate the container? I don't use lube logger but in the past with other containers, need to be fully recreated. See this issue as well: https://github.com/pocket-id/pocket-id/issues/237
OVERLORD commented 2025-10-08 00:04:26 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Pocket ID can't redirect you back because Lubelogger doesn't provide a post_logout_redirect_uri and id_token_hint. Because of that this behavior is expected.

@stonith404 commented on GitHub: Pocket ID can't redirect you back because Lubelogger [doesn't provide](https://github.com/hargata/lubelog/blob/efa2bbf6cc12b6dbc9fa62d8adde889da76ea76a/Controllers/LoginController.cs#L299) a `post_logout_redirect_uri` and `id_token_hint`. Because of that this behavior is expected.
OVERLORD commented 2025-10-08 00:04:27 +03:00
Author
Owner
Copy Link

@sevensolutions commented on GitHub:

@stonith404 yes.

Image
@sevensolutions commented on GitHub: @stonith404 yes. <img width="1800" alt="Image" src="https://github.com/user-attachments/assets/76be8aea-a559-4293-ba4f-643894df2db4" />
OVERLORD commented 2025-10-08 00:04:29 +03:00
Author
Owner
Copy Link

@sevensolutions commented on GitHub:

Ok, I'am so sorry, this was my fault.
It looks like providing the id_token_hint really fixed it but i don't know why it wasn't working for the first time. Maybe some caching problem, but it's working now.
I tested it two more times and it's working correctly.

Image
@sevensolutions commented on GitHub: Ok, I'am so sorry, this was my fault. It looks like providing the `id_token_hint` really fixed it but i don't know why it wasn't working for the first time. Maybe some caching problem, but it's working now. I tested it two more times and it's working correctly. <img width="1800" alt="Image" src="https://github.com/user-attachments/assets/b73441f1-92b1-4e61-8472-4c3d6bfdcac5" />
OVERLORD commented 2025-10-08 00:04:29 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@sevensolutions Ok. Can you share the Pocket ID logs. Pocket ID logs the reason why you don't get redirected.

@stonith404 commented on GitHub: @sevensolutions Ok. Can you share the Pocket ID logs. Pocket ID logs the reason why you don't get redirected.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#345
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?