🐛 Bug Report: OIDC not working with Cloudflare Access #491

New Issue

Closed

opened 2025-10-08 00:10:54 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2025-10-08 00:10:54 +03:00

Owner

Copy Link

Originally created by @Rxyanlaw on GitHub.

Reproduction steps

Make a Cloudflare Access application
Add Pocket ID as custom OIDC provider
Test the OIDC provider
Cloudflare Access throws "OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct.
undefined"

I am using Pocket ID behind Traefik and used issue #11's fix to at least get to the setup page but /api/oidc/token returns 404 not found

Expected behavior

It should successfully exchange code for token and complete the authentication.

Actual Behavior

Originally created by @Rxyanlaw on GitHub. ### Reproduction steps Make a Cloudflare Access application Add Pocket ID as custom OIDC provider Test the OIDC provider Cloudflare Access throws "OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined" I am using Pocket ID behind Traefik and used issue #11's fix to at least get to the setup page but /api/oidc/token returns 404 not found ### Expected behavior It should successfully exchange code for token and complete the authentication. ### Actual Behavior 

OVERLORD added the bug label 2025-10-08 00:10:54 +03:00

OVERLORD closed this issue 2025-10-08 00:10:55 +03:00

OVERLORD commented 2025-10-08 00:10:57 +03:00

Author

Owner

Copy Link

@Rxyanlaw commented on GitHub:

I fixed the issue. I had my Cloudflare Access policy on *.example.com so it was protecting every subdomain. Adding an exclusion for the authentication subdomain fixed the issue. Thank you.

@Rxyanlaw commented on GitHub: I fixed the issue. I had my Cloudflare Access policy on *.example.com so it was protecting every subdomain. Adding an exclusion for the authentication subdomain fixed the issue. Thank you.

OVERLORD commented 2025-10-08 00:10:57 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

I'm using Pocket ID with Cloudflare Access too so there is probably something wrong with your configuration.

Are you using the Docker installation? Can you share the Traefik configuration?

@stonith404 commented on GitHub: I'm using Pocket ID with Cloudflare Access too so there is probably something wrong with your configuration. Are you using the Docker installation? Can you share the Traefik configuration?

OVERLORD commented 2025-10-08 00:10:57 +03:00

Author

Owner

Copy Link

@Rxyanlaw commented on GitHub:

I'm using the docker compose installation. Here is my Traefik config:

traefik.enable: true
traefik.http.routers.pocketid.rule: Host(auth.example.com) && PathPrefix(/)
traefik.http.routers.pocketid.entryPoints: https
traefik.http.services.pocketid.loadbalancer.server.port: 80`

@Rxyanlaw commented on GitHub: I'm using the docker compose installation. Here is my Traefik config: traefik.enable: true traefik.http.routers.pocketid.rule: Host(`auth.example.com`) && PathPrefix(`/`) traefik.http.routers.pocketid.entryPoints: https traefik.http.services.pocketid.loadbalancer.server.port: 80`

OVERLORD commented 2025-10-08 00:10:58 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Thanks. Does a POST request to /api/oidc/token really return 404 or did you make a GET request? Additionally, do you see any errors in the logs of the container?

@stonith404 commented on GitHub: Thanks. Does a POST request to `/api/oidc/token` really return 404 or did you make a GET request? Additionally, do you see any errors in the logs of the container?

OVERLORD referenced this issue 2025-10-08 00:16:54 +03:00

[PR #491] [MERGED] chore(translations): update translations via Crowdin #773

OVERLORD referenced this issue 2025-10-08 00:16:58 +03:00

[PR #491] chore(translations): update translations via Crowdin #777

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#491