🐛 Bug Report: invalid callback URL #458

New Issue

Closed

opened 2025-10-09 16:47:56 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 16:47:56 +03:00

Owner

Copy Link

Originally created by @hametovbr on GitHub.

Reproduction steps

When I try to use pocket-id with oauth2-proxy I am able to login using pocket-id to oauth2-proxy itself, but when I try to login to another server on my network I get "Invalid callback URL".
Reverse-proxy: traefik
Callback URL : https://<oauth-proxy-url>/oauth2/callback
Service labels:

    labels:
      - traefik.enable=true
      - traefik.http.routers.paperless.rule=Host(`<service>`)
      - traefik.http.routers.paperless.entrypoints=websecure
      - traefik.http.middlewares.oauth2.forwardauth.address=https://<oauth-proxy>
      - traefik.http.middlewares.oauth2.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email
      - traefik.http.routers.paperless.middlewares=oauth2

Pocket-Id logs:

2024-11-15T21:54:41.687980354Z [GIN] 2024/11/15 - 21:54:41 | 400 |    1.059384ms |      172.18.0.1 | POST     "/api/oidc/authorize/new-client"
2024-11-15T21:54:41.687988526Z Error #01: invalid callback URL

OAuth2-Proxy config (env):

      OAUTH2_PROXY_PROVIDER: oidc
      OAUTH2_PROXY_OIDC_ISSUER_URL: <pocket-id>
      OAUTH2_PROXY_CLIENT_ID: <client-id>
      OAUTH2_PROXY_CLIENT_SECRET: <client-secret>
      OAUTH2_PROXY_COOKIE_SECRET: <cookie-secret>
      OAUTH2_PROXY_COOKIE_SECURE: true
      OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
      OAUTH2_PROXY_REVERSE_PROXY: true
      OAUTH2_PROXY_SCOPE: "openid email profile groups"
      OAUTH2_PROXY_EMAIL_DOMAINS: "*" 
      OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL: true
      OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: true
      OAUTH2_PROXY_WHITELIST_DOMAINS: "*.<my-domain>"

Expected behavior

Successfully redirect back to service.

Actual Behavior

I get an "invalid callback URL" error.

Originally created by @hametovbr on GitHub. ### Reproduction steps When I try to use pocket-id with oauth2-proxy I am able to login using pocket-id to oauth2-proxy itself, but when I try to login to another server on my network I get "Invalid callback URL". Reverse-proxy: `traefik` Callback URL : `https://<oauth-proxy-url>/oauth2/callback` Service labels: ``` labels: - traefik.enable=true - traefik.http.routers.paperless.rule=Host(`<service>`) - traefik.http.routers.paperless.entrypoints=websecure - traefik.http.middlewares.oauth2.forwardauth.address=https://<oauth-proxy> - traefik.http.middlewares.oauth2.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email - traefik.http.routers.paperless.middlewares=oauth2 ``` Pocket-Id logs: ``` 2024-11-15T21:54:41.687980354Z [GIN] 2024/11/15 - 21:54:41 | 400 | 1.059384ms | 172.18.0.1 | POST "/api/oidc/authorize/new-client" 2024-11-15T21:54:41.687988526Z Error #01: invalid callback URL ``` OAuth2-Proxy config (env): ``` OAUTH2_PROXY_PROVIDER: oidc OAUTH2_PROXY_OIDC_ISSUER_URL: <pocket-id> OAUTH2_PROXY_CLIENT_ID: <client-id> OAUTH2_PROXY_CLIENT_SECRET: <client-secret> OAUTH2_PROXY_COOKIE_SECRET: <cookie-secret> OAUTH2_PROXY_COOKIE_SECURE: true OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180 OAUTH2_PROXY_REVERSE_PROXY: true OAUTH2_PROXY_SCOPE: "openid email profile groups" OAUTH2_PROXY_EMAIL_DOMAINS: "*" OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL: true OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: true OAUTH2_PROXY_WHITELIST_DOMAINS: "*.<my-domain>" ``` ### Expected behavior Successfully redirect back to service. ### Actual Behavior I get an "invalid callback URL" error.

OVERLORD added the bug label 2025-10-09 16:47:56 +03:00

OVERLORD closed this issue 2025-10-09 16:47:56 +03:00

OVERLORD commented 2025-10-09 16:48:00 +03:00

Author

Owner

Copy Link

@hametovbr commented on GitHub:

Lol, as expected - my bad, missed in oauth2-proxy

OAUTH2_PROXY_REDIRECT_URL: https://oauth2.<mydomain>/oauth2/callback

Keeping for future fellow selfhosters - do not be as silly as me.

@hametovbr commented on GitHub: Lol, as expected - my bad, missed in oauth2-proxy ``` OAUTH2_PROXY_REDIRECT_URL: https://oauth2.<mydomain>/oauth2/callback ``` Keeping for future fellow selfhosters - do not be as silly as me.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#458