starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:42:58 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: please write a guide to use caddy proxy before pocketid #459

New Issue
Closed
opened 2025-10-08 00:09:36 +03:00 by OVERLORD · 6 comments
OVERLORD commented 2025-10-08 00:09:36 +03:00
Owner
Copy Link

Originally created by @PaddyPat on GitHub.

Reproduction steps

Tried your guide, thanks for this nice tool!

Successfully auth via passkey in pocketid (pocketid behind main caddy for all my services)

If I access pocketid /.wellknown from my browser / client, I receive a 200 and see the text for auth urls.

If I use for example mealie (also behind caddy proxy) and enable oidc, I receive a 40x error

secret and key are valid, tried it several times.

maybe it would help to see a caddy example before your pocketid and mealie as oidc.

Br

Expected behavior

should work ;-)

Actual Behavior

cant auth - works direct via pocketit url but not as oidc provider

Originally created by @PaddyPat on GitHub. ### Reproduction steps Tried your guide, thanks for this nice tool! Successfully auth via passkey in pocketid (pocketid behind main caddy for all my services) If I access pocketid /.wellknown from my browser / client, I receive a 200 and see the text for auth urls. If I use for example mealie (also behind caddy proxy) and enable oidc, I receive a 40x error secret and key are valid, tried it several times. maybe it would help to see a caddy example before your pocketid and mealie as oidc. Br ### Expected behavior should work ;-) ### Actual Behavior cant auth - works direct via pocketit url but not as oidc provider
OVERLORD added the bug label 2025-10-08 00:09:36 +03:00
OVERLORD commented 2025-10-08 00:09:40 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Ok but in that case the issue isn't Caddy because FreshRSS can access Pocket ID. As I don't know your entire setup I can't really help you further. But we know now that the issue isn't Pocket ID or Caddy.

I've successfully configured Pocket ID with Mealie with the following configuration:

services:
  mealie:
    image: ghcr.io/mealie-recipes/mealie:v2.0.0 #
    ports:
        - "9925:9000" #
    environment:
      ALLOW_SIGNUP: "true"
      PUID: 1000
      PGID: 1000
      TZ: America/Anchorage
      MAX_WORKERS: 1
      WEB_CONCURRENCY: 1
      BASE_URL: http://localhost:9925
      OIDC_AUTH_ENABLED: true
      OIDC_CONFIGURATION_URL: https://pocket-id.mydomain.com/.well-known/openid-configuration
      OIDC_CLIENT_ID: 27a35d23-2fc1-4676-b186-3cdf25c83215
      OIDC_CLIENT_SECRET: eiIP5N416dOGFGFIpGApBae6Mhnht9Rb
@stonith404 commented on GitHub: Ok but in that case the issue isn't Caddy because FreshRSS can access Pocket ID. As I don't know your entire setup I can't really help you further. But we know now that the issue isn't Pocket ID or Caddy. I've successfully configured Pocket ID with Mealie with the following configuration: ``` services: mealie: image: ghcr.io/mealie-recipes/mealie:v2.0.0 # ports: - "9925:9000" # environment: ALLOW_SIGNUP: "true" PUID: 1000 PGID: 1000 TZ: America/Anchorage MAX_WORKERS: 1 WEB_CONCURRENCY: 1 BASE_URL: http://localhost:9925 OIDC_AUTH_ENABLED: true OIDC_CONFIGURATION_URL: https://pocket-id.mydomain.com/.well-known/openid-configuration OIDC_CLIENT_ID: 27a35d23-2fc1-4676-b186-3cdf25c83215 OIDC_CLIENT_SECRET: eiIP5N416dOGFGFIpGApBae6Mhnht9Rb ```
OVERLORD commented 2025-10-08 00:09:40 +03:00
Author
Owner
Copy Link

@PaddyPat commented on GitHub:

Caddyfile (my caddy proxy, not internal from this project)

#pocketid
pocketid.server01.domain.com {
    reverse_proxy http://172.17.0.1:3000

    # Enable HSTS to enforce HTTPS with a max-age of 1 year and include subdomains
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    }

    # Restrict to modern and secure TLS versions only (TLS 1.2 and 1.3)
    tls {
        protocols tls1.2 tls1.3
        ciphers TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256
    }

}

docker-compose pocket-id + .env:

services:
  pocket-id:
    image: stonith404/pocket-id:latest
    container_name: pocketid
    restart: unless-stopped
    env_file: .env
    ports:
      - 172.17.0.1:3000:80
    volumes:
      - "./data:/app/backend/data"

    networks:
      pocketid_compose:
        ipv4_address: 10.201.112.2

networks:
  pocketid_compose:
    driver: bridge
    ipam:
      config:
        - subnet: 10.201.112.0/24

#########
.env pocket-id content:

PUBLIC_APP_URL=https://pocketid.server01.domain.com
TRUST_PROXY=true

docker-compose mealie:

version: "3.1"
services:
  mealie:
    image: hkotel/mealie
    container_name: mealie
    restart: unless-stopped
    depends_on:
      - "postgres"
    ports:
      - 172.17.0.1:9925:9000
    environment:
      PUID: 1000
      PGID: 1000
      TZ: Europe/Berlin

      BASE_URL: https://mealie.server01.domain.com

      DB_ENGINE: postgres
      POSTGRES_USER: xxXXxx
      POSTGRES_PASSWORD: xxXXxx
      POSTGRES_SERVER: postgres
      POSTGRES_PORT: 5432
      POSTGRES_DB: mealie
      # WORKERS_PER_CORE: 0.5
      # MAX_WORKERS: 8
      WEB_CONCURRENCY: 2

      ALLOW_SIGNUP: "true"
      LOG_LEVEL: debug
      #OIDC PocketID
      OIDC_AUTH_ENABLED: true
      #OIDC_SIGNUP_ENABLED: true
      OIDC_CONFIGURATION_URL: https://pocketid.server01.domain.com/.well-known/openid-configuration
      OIDC_CLIENT_ID: "112a2a91xxxxx“
      OIDC_CLIENT_SECRET: „xxxxx"
#      OIDC_AUTO_REDIRECT: true
      OIDC_PROVIDER_NAME: "Pocket ID"
#      OIDC_USER_CLAIM: openid profile email
      OIDC_USER_CLAIM: "email"
      #openid profile email
      OIDC_TLS_CACERTFILE: https://pocketid.server01.domain.com/.well-known/jwks.json

    volumes:
      - ./data/:/app/data

    networks:
      mealie_compose:
        ipv4_address: 10.201.110.2

  postgres:
    container_name: postgres
    image: postgres
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: xxXXxx
      POSTGRES_USER: xxXXxx

    volumes:
      - ./postgres:/var/lib/postgresql/data

    networks:
      mealie_compose:
        ipv4_address: 10.201.110.3

networks:
  mealie_compose:
    driver: bridge
    ipam:
      config:
        - subnet: 10.201.110.0/24

ufw allow access from 10.201.110.2 to main caddy container so I can reach from mealie via curl -vv https://pocketid.server01.domain.com/.well-known/openid-configuration

log in pocket-id:

pocketid  | [GIN] 2024/10/28 - 06:48:55 | 403 |       4.733µs |   30.40.50.60 | GET      "/.well-known/openid-configuration"
pocketid  | [GIN] 2024/10/28 - 06:48:55 | 403 |      45.673µs |   30.40.50.60 | GET      "/.well-known/openid-configuration"
pocketid  | [GIN] 2024/10/28 - 06:48:57 | 403 |       4.564µs |   30.40.50.60 | GET      "/.well-known/openid-configuration"
pocketid  | [GIN] 2024/10/28 - 06:48:57 | 403 |      44.475µs |   30.40.50.60 | GET      "/.well-known/openid-configuration"

log in mealie:


mealie    | INFO     2024-10-28T07:48:55 - [30.40.50.60:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /api/app/about/startup-info HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /sw.js HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:57 - [30.40.50.60:0] 200 OK "GET /null?protocol=oauth2&response_type=code&access_type&client_id=afe8b0dXXXXXXXXXXXXXXXXXe&redirect_uri=https%3A%2F%2Fmealie.server01.domain.com%2Flogin&scope=openid%20profile%20email&state=0zdl8yzrut&code_challenge_method=S256&code_challenge=gtXXXXXXXXXXXXXXXXXXXXq2ukjY HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:58 - [30.40.50.60:0] 200 OK "GET /sw.js HTTP/1.1"
mealie    | INFO     2024-10-28T07:49:16 - [127.0.0.1:55244] 200 OK "GET /api/app/about HTTP/1.1"
mealie    | INFO     2024-10-28T07:49:46 - [127.0.0.1:41778] 200 OK "GET /api/app/about HTTP/1.1"
mealie    | INFO     2024-10-28T07:50:16 - [127.0.0.1:42764] 200 OK "GET /api/app/about HTTP/1.1"

also I tried it with freshrss (also 400/403) - I can't reach /api:

pocketid | [GIN] 2024/10/28 - 07:19:53 | 403 | 375.732µs | 30.40.50.60 | POST "/api/oidc/authorize"
pocketid | [GIN] 2024/10/28 - 07:19:53 | 403 | 401.208µs | 30.40.50.60 | POST "/api/oidc/authorize"
pocketid | [GIN] 2024/10/28 - 07:19:54 | 400 | 562.693µs | 30.40.50.60 | POST "/api/oidc/authorize/new-client"
pocketid | [GIN] 2024/10/28 - 07:19:54 | 400 | 588.623µs | 30.40.50.60 | POST "/api/oidc/authorize/new-client"

@PaddyPat commented on GitHub: Caddyfile (my caddy proxy, not internal from this project) ``` #pocketid pocketid.server01.domain.com { reverse_proxy http://172.17.0.1:3000 # Enable HSTS to enforce HTTPS with a max-age of 1 year and include subdomains header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" } # Restrict to modern and secure TLS versions only (TLS 1.2 and 1.3) tls { protocols tls1.2 tls1.3 ciphers TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 } } ``` docker-compose pocket-id + .env: ``` services: pocket-id: image: stonith404/pocket-id:latest container_name: pocketid restart: unless-stopped env_file: .env ports: - 172.17.0.1:3000:80 volumes: - "./data:/app/backend/data" networks: pocketid_compose: ipv4_address: 10.201.112.2 networks: pocketid_compose: driver: bridge ipam: config: - subnet: 10.201.112.0/24 ######### .env pocket-id content: PUBLIC_APP_URL=https://pocketid.server01.domain.com TRUST_PROXY=true ``` docker-compose mealie: ``` version: "3.1" services: mealie: image: hkotel/mealie container_name: mealie restart: unless-stopped depends_on: - "postgres" ports: - 172.17.0.1:9925:9000 environment: PUID: 1000 PGID: 1000 TZ: Europe/Berlin BASE_URL: https://mealie.server01.domain.com DB_ENGINE: postgres POSTGRES_USER: xxXXxx POSTGRES_PASSWORD: xxXXxx POSTGRES_SERVER: postgres POSTGRES_PORT: 5432 POSTGRES_DB: mealie # WORKERS_PER_CORE: 0.5 # MAX_WORKERS: 8 WEB_CONCURRENCY: 2 ALLOW_SIGNUP: "true" LOG_LEVEL: debug #OIDC PocketID OIDC_AUTH_ENABLED: true #OIDC_SIGNUP_ENABLED: true OIDC_CONFIGURATION_URL: https://pocketid.server01.domain.com/.well-known/openid-configuration OIDC_CLIENT_ID: "112a2a91xxxxx“ OIDC_CLIENT_SECRET: „xxxxx" # OIDC_AUTO_REDIRECT: true OIDC_PROVIDER_NAME: "Pocket ID" # OIDC_USER_CLAIM: openid profile email OIDC_USER_CLAIM: "email" #openid profile email OIDC_TLS_CACERTFILE: https://pocketid.server01.domain.com/.well-known/jwks.json volumes: - ./data/:/app/data networks: mealie_compose: ipv4_address: 10.201.110.2 postgres: container_name: postgres image: postgres restart: unless-stopped environment: POSTGRES_PASSWORD: xxXXxx POSTGRES_USER: xxXXxx volumes: - ./postgres:/var/lib/postgresql/data networks: mealie_compose: ipv4_address: 10.201.110.3 networks: mealie_compose: driver: bridge ipam: config: - subnet: 10.201.110.0/24 ``` ufw allow access from 10.201.110.2 to main caddy container so I can reach from mealie via curl -vv https://pocketid.server01.domain.com/.well-known/openid-configuration log in pocket-id: ``` pocketid | [GIN] 2024/10/28 - 06:48:55 | 403 | 4.733µs | 30.40.50.60 | GET "/.well-known/openid-configuration" pocketid | [GIN] 2024/10/28 - 06:48:55 | 403 | 45.673µs | 30.40.50.60 | GET "/.well-known/openid-configuration" pocketid | [GIN] 2024/10/28 - 06:48:57 | 403 | 4.564µs | 30.40.50.60 | GET "/.well-known/openid-configuration" pocketid | [GIN] 2024/10/28 - 06:48:57 | 403 | 44.475µs | 30.40.50.60 | GET "/.well-known/openid-configuration" ``` log in mealie: ``` mealie | INFO 2024-10-28T07:48:55 - [30.40.50.60:0] 200 OK "GET /api/app/about HTTP/1.1" mealie | INFO 2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /api/app/about HTTP/1.1" mealie | INFO 2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /api/app/about/startup-info HTTP/1.1" mealie | INFO 2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /sw.js HTTP/1.1" mealie | INFO 2024-10-28T07:48:57 - [30.40.50.60:0] 200 OK "GET /null?protocol=oauth2&response_type=code&access_type&client_id=afe8b0dXXXXXXXXXXXXXXXXXe&redirect_uri=https%3A%2F%2Fmealie.server01.domain.com%2Flogin&scope=openid%20profile%20email&state=0zdl8yzrut&code_challenge_method=S256&code_challenge=gtXXXXXXXXXXXXXXXXXXXXq2ukjY HTTP/1.1" mealie | INFO 2024-10-28T07:48:58 - [30.40.50.60:0] 200 OK "GET /sw.js HTTP/1.1" mealie | INFO 2024-10-28T07:49:16 - [127.0.0.1:55244] 200 OK "GET /api/app/about HTTP/1.1" mealie | INFO 2024-10-28T07:49:46 - [127.0.0.1:41778] 200 OK "GET /api/app/about HTTP/1.1" mealie | INFO 2024-10-28T07:50:16 - [127.0.0.1:42764] 200 OK "GET /api/app/about HTTP/1.1" ``` also I tried it with freshrss (also 400/403) - I can't reach /api: pocketid | [GIN] 2024/10/28 - 07:19:53 | 403 | 375.732µs | 30.40.50.60 | POST "/api/oidc/authorize" pocketid | [GIN] 2024/10/28 - 07:19:53 | 403 | 401.208µs | 30.40.50.60 | POST "/api/oidc/authorize" pocketid | [GIN] 2024/10/28 - 07:19:54 | 400 | 562.693µs | 30.40.50.60 | POST "/api/oidc/authorize/new-client" pocketid | [GIN] 2024/10/28 - 07:19:54 | 400 | 588.623µs | 30.40.50.60 | POST "/api/oidc/authorize/new-client"
OVERLORD commented 2025-10-08 00:09:40 +03:00
Author
Owner
Copy Link

@PaddyPat commented on GitHub:

freshrss works, issue was in callback url at the end also a slash
https://freshrss.server01.domain.com/i/oidc/

@PaddyPat commented on GitHub: freshrss works, issue was in callback url at the end also a slash https://freshrss.server01.domain.com/i/oidc/
OVERLORD commented 2025-10-08 00:09:41 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

With Freshrss you get the error that the client secret is wrong but "/.well-known/openid-configuration" is accessible, right?

If you get this error the issue is that the client secret is wrong, there is no other cause. Please double-check the client secret for any extra spaces or formatting issues to ensure it’s entered exactly as provided.

@stonith404 commented on GitHub: With Freshrss you get the error that the client secret is wrong but "/.well-known/openid-configuration" is accessible, right? If you get this error the issue is that the client secret is wrong, there is no other cause. Please double-check the client secret for any extra spaces or formatting issues to ensure it’s entered exactly as provided.
OVERLORD commented 2025-10-08 00:09:41 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Please share the errors that you get from Mealie e.g. screenshots or logs.

@stonith404 commented on GitHub: Please share the errors that you get from Mealie e.g. screenshots or logs.
OVERLORD commented 2025-10-08 00:09:43 +03:00
Author
Owner
Copy Link

@PaddyPat commented on GitHub:

Thanks for your help!
It was mealie image related!
(had oidc issues with image: hkotel/mealie -> ghcr.io/mealie-recipes/mealie:v2.0.0 works fine)

@PaddyPat commented on GitHub: Thanks for your help! It was mealie image related! (had oidc issues with image: hkotel/mealie -> ghcr.io/mealie-recipes/mealie:v2.0.0 works fine)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#459
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?