starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 23:02:59 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Caddy cant fetch metadata for OAuth 2.0 authorization server #387

New Issue
Closed
opened 2025-10-08 00:06:19 +03:00 by OVERLORD · 13 comments
OVERLORD commented 2025-10-08 00:06:19 +03:00
Owner
Copy Link

Originally created by @myhrmans on GitHub.

Reproduction steps

*Running on remote computer/server

  1. Download latest Pocket-id and change exposed port to 3333
  2. Run Caddy as docker using caddy security
  3. Proxy Pocket-id to get https to setup webauth
id.<url>.com {
    reverse_proxy 192.168.1.111:3333
    header Strict-Transport-Security max-age=31536000;
}
  1. Start using this env file:
PUBLIC_APP_URL=https://id.<url>.com
TRUST_PROXY=true
MAXMIND_LICENSE_KEY=
PUID=1000
PGID=1000
PORT=3333
  1. Setup OIDC according to the docs
  2. Take down Caddy
  3. Change caddy to the new configuration:
{
      http_port 443
  
      order authenticate before respond
      security {
          oauth identity provider generic {
              realm generic
              driver generic
              client_id <id from step 4>
              client_secret <secret from step 4>
              scopes openid email profile
              base_auth_url http://localhost:3333
              metadata_url http://localhost:3333/.well-known/openid-configuration
          }
  
          authentication portal myportal {
              crypto default token lifetime 3600 # Seconds until you have to re-authenticate
              enable identity provider generic
              cookie insecure off # Set to "on" if you're not using HTTPS
  
              transform user {
                  match realm generic
                  action add role user
              }
          }
  
          authorization policy mypolicy {
              set auth url /auth/oauth2/generic
              allow roles user
              inject headers with claims
          }
      }
  }

Expected behavior

Caddy to be able to start

Actual Behavior

Caddy does not start. It cant connect

I get "failed to fetch metadata for OAuth 2.0 authorization server".

Opening http::3333/.well-known/openid-configuration shows a json array with the correct info.

Attaching to caddy
caddy  | {"level":"info","ts":1737370900.6421924,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1737370900.6445582,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1737370900.6445732,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy  | {"level":"info","ts":1737370900.6456754,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"warn","ts":1737370900.6458776,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":443}
caddy  | {"level":"info","ts":1737370900.6458824,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0016b1700"}
caddy  | {"level":"info","ts":1737370900.6467426,"logger":"security","msg":"provisioning app instance","app":"security"}
caddy  | {"level":"error","ts":1737370900.6473093,"logger":"security","msg":"failed provisioning app server instance","app":"security","error":"server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get \"http://localhost:3333/.well-known/openid-configuration\": read tcp 127.0.0.1:34822->127.0.0.1:3333: read: connection reset by peer"}
caddy  | {"level":"info","ts":1737370900.6473627,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0016b1700"}
caddy  | Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 10: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authenticator': provision http.handlers.authenticator: loading security app module: provision security: server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get "http://localhost:3333/.well-known/openid-configuration": read tcp 127.0.0.1:34822->127.0.0.1:3333: read: connection reset by peer
caddy exited with code 1
Originally created by @myhrmans on GitHub. ### Reproduction steps *Running on remote computer/server 1. Download latest Pocket-id and change exposed port to 3333 2. Run Caddy as docker using caddy security 3. Proxy Pocket-id to get https to setup webauth ``` id.<url>.com { reverse_proxy 192.168.1.111:3333 header Strict-Transport-Security max-age=31536000; } ``` 4. Start using this env file: ``` PUBLIC_APP_URL=https://id.<url>.com TRUST_PROXY=true MAXMIND_LICENSE_KEY= PUID=1000 PGID=1000 PORT=3333 ``` 5. Setup OIDC according to the docs 6. Take down Caddy 7. Change caddy to the new configuration: ``` { http_port 443 order authenticate before respond security { oauth identity provider generic { realm generic driver generic client_id <id from step 4> client_secret <secret from step 4> scopes openid email profile base_auth_url http://localhost:3333 metadata_url http://localhost:3333/.well-known/openid-configuration } authentication portal myportal { crypto default token lifetime 3600 # Seconds until you have to re-authenticate enable identity provider generic cookie insecure off # Set to "on" if you're not using HTTPS transform user { match realm generic action add role user } } authorization policy mypolicy { set auth url /auth/oauth2/generic allow roles user inject headers with claims } } } ``` ### Expected behavior Caddy to be able to start ### Actual Behavior Caddy does not start. It cant connect I get "failed to fetch metadata for OAuth 2.0 authorization server". Opening http:<ip of remote server>:3333/.well-known/openid-configuration shows a json array with the correct info. ``` Attaching to caddy caddy | {"level":"info","ts":1737370900.6421924,"msg":"using config from file","file":"/etc/caddy/Caddyfile"} caddy | {"level":"info","ts":1737370900.6445582,"msg":"adapted config to JSON","adapter":"caddyfile"} caddy | {"level":"warn","ts":1737370900.6445732,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2} caddy | {"level":"info","ts":1737370900.6456754,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]} caddy | {"level":"warn","ts":1737370900.6458776,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":443} caddy | {"level":"info","ts":1737370900.6458824,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0016b1700"} caddy | {"level":"info","ts":1737370900.6467426,"logger":"security","msg":"provisioning app instance","app":"security"} caddy | {"level":"error","ts":1737370900.6473093,"logger":"security","msg":"failed provisioning app server instance","app":"security","error":"server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get \"http://localhost:3333/.well-known/openid-configuration\": read tcp 127.0.0.1:34822->127.0.0.1:3333: read: connection reset by peer"} caddy | {"level":"info","ts":1737370900.6473627,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0016b1700"} caddy | Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 10: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authenticator': provision http.handlers.authenticator: loading security app module: provision security: server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get "http://localhost:3333/.well-known/openid-configuration": read tcp 127.0.0.1:34822->127.0.0.1:3333: read: connection reset by peer caddy exited with code 1 ```
OVERLORD added the bug label 2025-10-08 00:06:19 +03:00
OVERLORD commented 2025-10-08 00:06:22 +03:00
Author
Owner
Copy Link

@myhrmans commented on GitHub:

Image

@myhrmans commented on GitHub: ![Image](https://github.com/user-attachments/assets/15f8fd86-158a-4454-9278-4fb522c284b5)
OVERLORD commented 2025-10-08 00:06:22 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Oh yeah that might be the problem. You have configured the reverse proxy for Pocket ID in the same Caddyfile as you have the caddy-security configuration, right?

@stonith404 commented on GitHub: Oh yeah that might be the problem. You have configured the reverse proxy for Pocket ID in the same Caddyfile as you have the `caddy-security` configuration, right?
OVERLORD commented 2025-10-08 00:06:22 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Can you try to set metadata_url and base_auth_url to id.<url>.com?

metadata_url must be accessible by Caddy and base_auth_url by the browser.

@stonith404 commented on GitHub: Can you try to set `metadata_url` and `base_auth_url` to `id.<url>.com`? `metadata_url` must be accessible by Caddy and `base_auth_url` by the browser.
OVERLORD commented 2025-10-08 00:06:25 +03:00
Author
Owner
Copy Link

@myhrmans commented on GitHub:

Will caddy start the reverse proxy of pocket-id before caddy-security is trying to access it?

@myhrmans commented on GitHub: Will caddy start the reverse proxy of pocket-id before caddy-security is trying to access it?
OVERLORD commented 2025-10-08 00:06:26 +03:00
Author
Owner
Copy Link

@myhrmans commented on GitHub:

Same issue unfortunately

caddy  | {"level":"info","ts":1737372713.2949867,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1737372713.2973747,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1737372713.2973888,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy  | {"level":"info","ts":1737372713.298568,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
caddy  | {"level":"warn","ts":1737372713.2988038,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":443}
caddy  | {"level":"info","ts":1737372713.2988708,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00124e080"}
caddy  | {"level":"info","ts":1737372713.299574,"logger":"security","msg":"provisioning app instance","app":"security"}
caddy  | {"level":"error","ts":1737372713.3221333,"logger":"security","msg":"failed provisioning app server instance","app":"security","error":"server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get \"https://id.<url>.com/.well-known/openid-configuration\": dial tcp <ip>:443: connect: connection refused"}
caddy  | {"level":"info","ts":1737372713.3222158,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00124e080"}
caddy  | Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 10: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authenticator': provision http.handlers.authenticator: loading security app module: provision security: server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get "https://id.<url>.com/.well-known/openid-configuration": dial tcp <ip>:443: connect: connection refused
caddy exited with code 1
@myhrmans commented on GitHub: Same issue unfortunately ``` caddy | {"level":"info","ts":1737372713.2949867,"msg":"using config from file","file":"/etc/caddy/Caddyfile"} caddy | {"level":"info","ts":1737372713.2973747,"msg":"adapted config to JSON","adapter":"caddyfile"} caddy | {"level":"warn","ts":1737372713.2973888,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2} caddy | {"level":"info","ts":1737372713.298568,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]} caddy | {"level":"warn","ts":1737372713.2988038,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":443} caddy | {"level":"info","ts":1737372713.2988708,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00124e080"} caddy | {"level":"info","ts":1737372713.299574,"logger":"security","msg":"provisioning app instance","app":"security"} caddy | {"level":"error","ts":1737372713.3221333,"logger":"security","msg":"failed provisioning app server instance","app":"security","error":"server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get \"https://id.<url>.com/.well-known/openid-configuration\": dial tcp <ip>:443: connect: connection refused"} caddy | {"level":"info","ts":1737372713.3222158,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00124e080"} caddy | Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 10: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authenticator': provision http.handlers.authenticator: loading security app module: provision security: server initialization failed: failed configuring identity provider: failed to fetch metadata for OAuth 2.0 authorization server: Get "https://id.<url>.com/.well-known/openid-configuration": dial tcp <ip>:443: connect: connection refused caddy exited with code 1 ```
OVERLORD commented 2025-10-08 00:06:28 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Maybe this helps? https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-endpoint#oauth-20-endpoint-delayed-start

@stonith404 commented on GitHub: Maybe this helps? https://docs.authcrunch.com/docs/authenticate/oauth/backend-oauth2-endpoint#oauth-20-endpoint-delayed-start
OVERLORD commented 2025-10-08 00:06:29 +03:00
Author
Owner
Copy Link

@myhrmans commented on GitHub:

Oh yeah that might be the problem. You have configured the reverse proxy for Pocket ID in the same Caddyfile as you have the caddy-security configuration, right?

Yes, thats correct!

Here are the curls:

curl http://localhost:3333
returns nothing.

curl http://localhost:3333/.well-known/openid-configuration
returns

{"authorization_endpoint":"https://id.<url>.com/authorize","claims_supported":["sub","given_name","family_name","name","email","email_verified","preferred_username"],"id_token_signing_alg_values_supported":["RS256"],"issuer":"https://id.<url>.com","jwks_uri":"https://id.<url>.com/.well-known/jwks.json","response_types_supported":["code","id_token"],"scopes_supported":["openid","profile","email"],"subject_types_supported":["public"],"token_endpoint":"https://id.<url>.com/api/oidc/token","userinfo_endpoint":"https://id.<url>.com/api/oidc/userinfo"}
@myhrmans commented on GitHub: > Oh yeah that might be the problem. You have configured the reverse proxy for Pocket ID in the same Caddyfile as you have the `caddy-security` configuration, right? Yes, thats correct! Here are the curls: `curl http://localhost:3333` returns nothing. `curl http://localhost:3333/.well-known/openid-configuration` returns ``` {"authorization_endpoint":"https://id.<url>.com/authorize","claims_supported":["sub","given_name","family_name","name","email","email_verified","preferred_username"],"id_token_signing_alg_values_supported":["RS256"],"issuer":"https://id.<url>.com","jwks_uri":"https://id.<url>.com/.well-known/jwks.json","response_types_supported":["code","id_token"],"scopes_supported":["openid","profile","email"],"subject_types_supported":["public"],"token_endpoint":"https://id.<url>.com/api/oidc/token","userinfo_endpoint":"https://id.<url>.com/api/oidc/userinfo"} ```
OVERLORD commented 2025-10-08 00:06:30 +03:00
Author
Owner
Copy Link

@jmadden91 commented on GitHub:

I had this same problem. I commented out my caddy-security block, but left the reverse proxy for pocket-id.mydomain.com

Then started caddy, then once caddy was running, I uncommented the security block and reloaded my caddyfile

@jmadden91 commented on GitHub: I had this same problem. I commented out my caddy-security block, but left the reverse proxy for pocket-id.mydomain.com Then started caddy, then once caddy was running, I uncommented the security block and reloaded my caddyfile
OVERLORD commented 2025-10-08 00:06:31 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

In that case it makes sense that you've set metadata_url to localhost:3333 what happens if you run curl http://localhost:3333?

@stonith404 commented on GitHub: In that case it makes sense that you've set `metadata_url` to `localhost:3333` what happens if you run `curl http://localhost:3333`?
OVERLORD commented 2025-10-08 00:06:32 +03:00
Author
Owner
Copy Link

@myhrmans commented on GitHub:

I had this same problem. I commented out my caddy-security block, but left the reverse proxy for pocket-id.mydomain.com

Then started caddy, then once caddy was running, I uncommented the security block and reloaded my caddyfile

That does solve it, but seem like a inconvenience. Maybe we can find a more permanent solution for this?

@myhrmans commented on GitHub: > I had this same problem. I commented out my caddy-security block, but left the reverse proxy for pocket-id.mydomain.com > > Then started caddy, then once caddy was running, I uncommented the security block and reloaded my caddyfile That does solve it, but seem like a inconvenience. Maybe we can find a more permanent solution for this?
OVERLORD commented 2025-10-08 00:06:33 +03:00
Author
Owner
Copy Link

@myhrmans commented on GitHub:

Yes! I just found this aswell after trying multiple approaches haha. Came here to say that looks like a solution!

@myhrmans commented on GitHub: Yes! I just found this aswell after trying multiple approaches haha. Came here to say that looks like a solution!
OVERLORD commented 2025-10-08 00:06:33 +03:00
Author
Owner
Copy Link

@jmadden91 commented on GitHub:

Great. Do you think delay_start 1 would be sufficient or to which value did you set it?

I just tested delay_start 1 and it works fine

@jmadden91 commented on GitHub: > Great. Do you think `delay_start 1` would be sufficient or to which value did you set it? I just tested `delay_start 1` and it works fine
OVERLORD commented 2025-10-08 00:06:33 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Great. Do you think delay_start 1 would be sufficient or to which value did you set it?

@stonith404 commented on GitHub: Great. Do you think `delay_start 1` would be sufficient or to which value did you set it?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#387
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?