starred/pocket-id-pocket-id-2
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 22:52:58 +03:00
Code Issues 116 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Cloudflare Zero Trust OIDC ERROR: Failed to exchange code for token. #362

New Issue
Closed
opened 2025-10-09 16:41:58 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2025-10-09 16:41:58 +03:00
Owner
Copy Link

Originally created by @EvasiveXkiller on GitHub.

Reproduction steps

I followed the example in the documentation to setup Pocket ID with Cloudflare ZT.

Expected behavior

Authentication works.

Actual Behavior

I got the following error.

OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct.
undefined.

Image

Version and Environment

Pocket ID: v0.32
Reverse Proxy: HAProxy version 3.1.3-1~bpo12+1 2025/01/29

My reverse proxy is running on a non default port, ie. https://oidc.tld.com:49172

Log Output

[GIN] 2025/02/14 - 06:41:41 | 200 |   450.92579ms |  PUBLIC_IP_REDACTED | GET      "/api/webauthn/login/start"
[GIN] 2025/02/14 - 06:41:41 | 200 |  450.967932ms |  PUBLIC_IP_REDACTED | GET      "/api/webauthn/login/start"
2025/02/14 06:41:51 Failed to get IP location: open data/GeoLite2-City.mmdb: no such file or directory
[GIN] 2025/02/14 - 06:41:52 | 200 |  4.112204355s |  PUBLIC_IP_REDACTED | POST     "/api/webauthn/login/finish"
[GIN] 2025/02/14 - 06:41:52 | 200 |  4.178822322s |  PUBLIC_IP_REDACTED | POST     "/api/webauthn/login/finish"
[GIN] 2025/02/14 - 06:41:52 | 200 |  223.784901ms |  PUBLIC_IP_REDACTED | POST     "/api/oidc/authorization-required"
[GIN] 2025/02/14 - 06:41:52 | 200 |  223.831135ms |  PUBLIC_IP_REDACTED | POST     "/api/oidc/authorization-required"
2025/02/14 06:41:53 Failed to get IP location: open data/GeoLite2-City.mmdb: no such file or directory
[GIN] 2025/02/14 - 06:41:54 | 200 |  1.557778726s |  PUBLIC_IP_REDACTED | POST     "/api/oidc/authorize"
[GIN] 2025/02/14 - 06:41:54 | 200 |  1.557825283s |  PUBLIC_IP_REDACTED | POST     "/api/oidc/authorize"
Originally created by @EvasiveXkiller on GitHub. ### Reproduction steps I followed the example in the documentation to setup [Pocket ID with Cloudflare ZT](https://pocket-id.org/docs/client-examples/cloudflare-zero-trust). ### Expected behavior Authentication works. ### Actual Behavior I got the following error. OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined. ![Image](https://github.com/user-attachments/assets/1ec140d8-2593-4d0e-a0e7-fe60aded9622) ### Version and Environment Pocket ID: v0.32 Reverse Proxy: HAProxy version 3.1.3-1~bpo12+1 2025/01/29 My reverse proxy is running on a non default port, ie. https://oidc.tld.com:49172 ### Log Output ``` [GIN] 2025/02/14 - 06:41:41 | 200 | 450.92579ms | PUBLIC_IP_REDACTED | GET "/api/webauthn/login/start" [GIN] 2025/02/14 - 06:41:41 | 200 | 450.967932ms | PUBLIC_IP_REDACTED | GET "/api/webauthn/login/start" 2025/02/14 06:41:51 Failed to get IP location: open data/GeoLite2-City.mmdb: no such file or directory [GIN] 2025/02/14 - 06:41:52 | 200 | 4.112204355s | PUBLIC_IP_REDACTED | POST "/api/webauthn/login/finish" [GIN] 2025/02/14 - 06:41:52 | 200 | 4.178822322s | PUBLIC_IP_REDACTED | POST "/api/webauthn/login/finish" [GIN] 2025/02/14 - 06:41:52 | 200 | 223.784901ms | PUBLIC_IP_REDACTED | POST "/api/oidc/authorization-required" [GIN] 2025/02/14 - 06:41:52 | 200 | 223.831135ms | PUBLIC_IP_REDACTED | POST "/api/oidc/authorization-required" 2025/02/14 06:41:53 Failed to get IP location: open data/GeoLite2-City.mmdb: no such file or directory [GIN] 2025/02/14 - 06:41:54 | 200 | 1.557778726s | PUBLIC_IP_REDACTED | POST "/api/oidc/authorize" [GIN] 2025/02/14 - 06:41:54 | 200 | 1.557825283s | PUBLIC_IP_REDACTED | POST "/api/oidc/authorize" ```
OVERLORD added the bug label 2025-10-09 16:41:58 +03:00
OVERLORD commented 2025-10-09 16:42:01 +03:00
Author
Owner
Copy Link

@EvasiveXkiller commented on GitHub:

I copied the token URL from the dashboard, and modified it to include to port since it does not have it.

The original one is https://oidc.tld.com/api/oidc/token, while mine is modified to https://oidc.tld.com:49172/api/oidc/token

I did run some basic tests on reachability using curl and everything seems to return with no issues.

@kmendell Would you mind giving a general direction on how the Cloudflare tunnel is supposed to be used? I have a tunnel running on that machine as well so might be able to leverage that

@EvasiveXkiller commented on GitHub: I copied the token URL from the dashboard, and modified it to include to port since it does not have it. The original one is https://oidc.tld.com/api/oidc/token, while mine is modified to https://oidc.tld.com:49172/api/oidc/token I did run some basic tests on reachability using `curl` and everything seems to return with no issues. @kmendell Would you mind giving a general direction on how the Cloudflare tunnel is supposed to be used? I have a tunnel running on that machine as well so might be able to leverage that
OVERLORD commented 2025-10-09 16:42:01 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Cloudflare tunnel is in itself a reverse proxy of sorts , so you should jut proxy directly to the pocket id service vs proxying to another reverse proxy that just causes problems.

For example:

cloudflare tunnel config would be

id.example.com

and

http://pocketidip:3000

@kmendell commented on GitHub: Cloudflare tunnel is in itself a reverse proxy of sorts , so you should jut proxy directly to the pocket id service vs proxying to another reverse proxy that just causes problems. For example: cloudflare tunnel config would be id.example.com and http://pocketidip:3000
OVERLORD commented 2025-10-09 16:42:02 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Yes @stonith404 is correct, you need to make sure both pocket id and cloudflare can reach each other in both directions for it to work. if you use Cloudflare tunnel that's a simple way to do this.

@kmendell commented on GitHub: Yes @stonith404 is correct, you need to make sure both pocket id and cloudflare can reach each other in both directions for it to work. if you use Cloudflare tunnel that's a simple way to do this.
OVERLORD commented 2025-10-09 16:42:03 +03:00
Author
Owner
Copy Link

@EvasiveXkiller commented on GitHub:

Alright great! Thank you for the direction. Ditched my reverse proxy and opted for the cloudflare one instead, works perfectly now.

Image

Closing this issue.

@EvasiveXkiller commented on GitHub: Alright great! Thank you for the direction. Ditched my reverse proxy and opted for the cloudflare one instead, works perfectly now. ![Image](https://github.com/user-attachments/assets/3b75c24d-c15e-4630-a17b-b2c7bf0849a9) Closing this issue.
OVERLORD commented 2025-10-09 16:42:03 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

What did you enter for "Token URL"? Based on the logs Cloudflare isn't able to call this endpoint. You've either entered a wrong "Token URL" or it's not reachable by the Cloudflare servers.

@stonith404 commented on GitHub: What did you enter for "Token URL"? Based on the logs Cloudflare isn't able to call this endpoint. You've either entered a wrong "Token URL" or it's not reachable by the Cloudflare servers.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#362
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?