Portainer Unauthorized #487

New Issue

OVERLORD · 2025-10-09T16:49:56+03:00

OVERLORD commented

2025-10-09 16:49:56 +03:00

Originally created by @javijuji on GitHub.

Reproduction steps

I've done initial setup and can log into pocket-id. After setting up portainer behind reverse proxy and setting up OAuth I keep getting unauthorized during login

OAuth Configuration
Client ID **************************
Client secret ************************
Authorization URL: https://auth.mydomain.xyz/authorize
Access token URL: https://auth.mydomain.xyz/api/oidc/token
Resource URL: https://auth.mydomain.xyz/api/oidc/userinfo
Redirect URL: https://portsyno.mydomain.xyz/
Logout URL: https://auth.mydomain.xyz/application/o/pgadmin/end-session/
User identifier: email
Scopes: openid profile email groups
Auth Style: Auto Detect

Callback URL: https://portsyno.mydomain.xyz/

Additional information:
Configured automatic user provisioning but not seeing any users imported into portainer. Tested turning off and created a user with matching username/email with the one in pocket-id. Same result.
Team membership is set to Off.

Also tried Enabling automatic user provisioning. Same result

Expected behavior

Should authorize correctly.

Actual Behavior

Unauthorized. Redirects seem to work correctly though.

Originally created by @javijuji on GitHub. ### Reproduction steps I've done initial setup and can log into pocket-id. After setting up portainer behind reverse proxy and setting up OAuth I keep getting unauthorized during login OAuth Configuration Client ID ************************** Client secret ************************ Authorization URL: https://auth.mydomain.xyz/authorize Access token URL: https://auth.mydomain.xyz/api/oidc/token Resource URL: https://auth.mydomain.xyz/api/oidc/userinfo Redirect URL: https://portsyno.mydomain.xyz/ Logout URL: https://auth.mydomain.xyz/application/o/pgadmin/end-session/ User identifier: email Scopes: openid profile email groups Auth Style: Auto Detect Callback URL: https://portsyno.mydomain.xyz/ Additional information: Configured automatic user provisioning but not seeing any users imported into portainer. Tested turning off and created a user with matching username/email with the one in pocket-id. Same result. Team membership is set to Off. ![image](https://github.com/user-attachments/assets/edee5aef-83be-4505-b6e0-dbd28615deae) Also tried Enabling automatic user provisioning. Same result ![image](https://github.com/user-attachments/assets/5e5e4b09-7df5-41aa-a1d9-1980e61bd2a6) ### Expected behavior Should authorize correctly. ### Actual Behavior Unauthorized. Redirects seem to work correctly though.

OVERLORD added the bug label 2025-10-09 16:49:57 +03:00

OVERLORD closed this issue

2025-10-09 16:49:57 +03:00

OVERLORD commented

2025-10-09 16:49:58 +03:00

@alec-hs commented on GitHub:

I have double checked the client secret and rotated it to make sure.

Portainer Logs:

2024/10/15 06:06PM DBG security/bouncer.go:437 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401 
2024/10/15 06:06PM DBG security/bouncer.go:437 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401 
2024/10/15 06:06PM DBG security/bouncer.go:437 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401 
2024/10/15 06:06PM DBG oauth/oauth.go:35 > failed retrieving OAuth token | error="oauth2: \"Invalid client secret\"" 
2024/10/15 06:06PM DBG auth/authenticate_oauth.go:84 > OAuth authentication error | error="oauth2: \"Invalid client secret\"" 
2024/10/15 06:06PM DBG security/bouncer.go:617 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 
2024/10/15 06:06PM DBG middlewares/slow_request_logger.go:33 > slow request | elapsed_ms=129.966375 method=POST url=/api/auth/oauth/validate

PocketID Logs:

[GIN] 2024/10/15 - 18:06:01 | 200 |    4.539165ms |       127.0.0.1 | GET      "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58"
[GIN] 2024/10/15 - 18:06:01 | 200 |    4.563928ms |       127.0.0.1 | GET      "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58"
[GIN] 2024/10/15 - 18:06:05 | 200 |  111.557512ms |      172.22.0.5 | POST     "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58/secret"
[GIN] 2024/10/15 - 18:06:05 | 200 |  111.589621ms |      172.22.0.5 | POST     "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58/secret"
[GIN] 2024/10/15 - 18:06:21 | 200 |    2.847901ms |       127.0.0.1 | GET      "/api/users/me"
[GIN] 2024/10/15 - 18:06:21 | 200 |    2.885358ms |       127.0.0.1 | GET      "/api/users/me"
[GIN] 2024/10/15 - 18:06:21 | 200 |    5.929046ms |       127.0.0.1 | GET      "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58"
[GIN] 2024/10/15 - 18:06:21 | 200 |    5.947032ms |       127.0.0.1 | GET      "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58"
[GIN] 2024/10/15 - 18:06:21 | 200 |    2.901119ms |       127.0.0.1 | GET      "/api/application-configuration"
[GIN] 2024/10/15 - 18:06:21 | 200 |    2.918514ms |       127.0.0.1 | GET      "/api/application-configuration"
[GIN] 2024/10/15 - 18:06:22 | 403 |    6.721911ms |      172.22.0.5 | POST     "/api/oidc/authorize"
[GIN] 2024/10/15 - 18:06:22 | 403 |    6.743184ms |      172.22.0.5 | POST     "/api/oidc/authorize"
2024/10/15 18:06:23 /app/backend/internal/service/oidc_service.go:75 duplicated key not allowed
[3.197ms] [rows:0] INSERT INTO `user_authorized_oidc_clients` (`scope`,`user_id`,`client_id`) VALUES (?,?,?)
[GIN] 2024/10/15 - 18:06:24 | 200 |  164.301823ms |      172.22.0.5 | POST     "/api/oidc/authorize/new-client"
[GIN] 2024/10/15 - 18:06:24 | 200 |  164.327342ms |      172.22.0.5 | POST     "/api/oidc/authorize/new-client"
[GIN] 2024/10/15 - 18:06:25 | 400 |   61.324223ms |      172.22.0.5 | POST     "/api/oidc/token"
[GIN] 2024/10/15 - 18:06:25 | 400 |   61.341758ms |      172.22.0.5 | POST     "/api/oidc/token"
[GIN] 2024/10/15 - 18:06:25 | 400 |   61.375865ms |      172.22.0.5 | POST     "/api/oidc/token"
[GIN] 2024/10/15 - 18:06:25 | 400 |    61.39173ms |      172.22.0.5 | POST     "/api/oidc/token"

@alec-hs commented on GitHub: I have double checked the client secret and rotated it to make sure. Portainer Logs: ``` 2024/10/15 06:06PM DBG security/bouncer.go:437 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401 2024/10/15 06:06PM DBG security/bouncer.go:437 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401 2024/10/15 06:06PM DBG security/bouncer.go:437 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401 2024/10/15 06:06PM DBG oauth/oauth.go:35 > failed retrieving OAuth token | error="oauth2: \"Invalid client secret\"" 2024/10/15 06:06PM DBG auth/authenticate_oauth.go:84 > OAuth authentication error | error="oauth2: \"Invalid client secret\"" 2024/10/15 06:06PM DBG security/bouncer.go:617 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2024/10/15 06:06PM DBG middlewares/slow_request_logger.go:33 > slow request | elapsed_ms=129.966375 method=POST url=/api/auth/oauth/validate ``` PocketID Logs: ``` [GIN] 2024/10/15 - 18:06:01 | 200 | 4.539165ms | 127.0.0.1 | GET "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58" [GIN] 2024/10/15 - 18:06:01 | 200 | 4.563928ms | 127.0.0.1 | GET "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58" [GIN] 2024/10/15 - 18:06:05 | 200 | 111.557512ms | 172.22.0.5 | POST "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58/secret" [GIN] 2024/10/15 - 18:06:05 | 200 | 111.589621ms | 172.22.0.5 | POST "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58/secret" [GIN] 2024/10/15 - 18:06:21 | 200 | 2.847901ms | 127.0.0.1 | GET "/api/users/me" [GIN] 2024/10/15 - 18:06:21 | 200 | 2.885358ms | 127.0.0.1 | GET "/api/users/me" [GIN] 2024/10/15 - 18:06:21 | 200 | 5.929046ms | 127.0.0.1 | GET "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58" [GIN] 2024/10/15 - 18:06:21 | 200 | 5.947032ms | 127.0.0.1 | GET "/api/oidc/clients/8e400bed-f1bc-4a75-9c16-003a9ba29c58" [GIN] 2024/10/15 - 18:06:21 | 200 | 2.901119ms | 127.0.0.1 | GET "/api/application-configuration" [GIN] 2024/10/15 - 18:06:21 | 200 | 2.918514ms | 127.0.0.1 | GET "/api/application-configuration" [GIN] 2024/10/15 - 18:06:22 | 403 | 6.721911ms | 172.22.0.5 | POST "/api/oidc/authorize" [GIN] 2024/10/15 - 18:06:22 | 403 | 6.743184ms | 172.22.0.5 | POST "/api/oidc/authorize" 2024/10/15 18:06:23 /app/backend/internal/service/oidc_service.go:75 duplicated key not allowed [3.197ms] [rows:0] INSERT INTO `user_authorized_oidc_clients` (`scope`,`user_id`,`client_id`) VALUES (?,?,?) [GIN] 2024/10/15 - 18:06:24 | 200 | 164.301823ms | 172.22.0.5 | POST "/api/oidc/authorize/new-client" [GIN] 2024/10/15 - 18:06:24 | 200 | 164.327342ms | 172.22.0.5 | POST "/api/oidc/authorize/new-client" [GIN] 2024/10/15 - 18:06:25 | 400 | 61.324223ms | 172.22.0.5 | POST "/api/oidc/token" [GIN] 2024/10/15 - 18:06:25 | 400 | 61.341758ms | 172.22.0.5 | POST "/api/oidc/token" [GIN] 2024/10/15 - 18:06:25 | 400 | 61.375865ms | 172.22.0.5 | POST "/api/oidc/token" [GIN] 2024/10/15 - 18:06:25 | 400 | 61.39173ms | 172.22.0.5 | POST "/api/oidc/token" ```

OVERLORD commented

2025-10-09 16:49:59 +03:00

@stonith404 commented on GitHub:

@alec-hs Are you really sure that the client secret is valid because this error only gets thrown if the client secret doesn't match the one saved in the database:

err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret))
if err != nil {
	return "", "", common.ErrOidcClientSecretInvalid
}

I've added a line in the stonith404/pocket-id:development image that prints the received client secret. Could you run the image and check if the received client secret is correct and doesn't contain any whitespaces?

@stonith404 commented on GitHub: @alec-hs Are you really sure that the client secret is valid because this error only gets thrown if the client secret doesn't match the one saved in the database: ```go err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)) if err != nil { return "", "", common.ErrOidcClientSecretInvalid } ``` I've added a line in the `stonith404/pocket-id:development` image that prints the received client secret. Could you run the image and check if the received client secret is correct and doesn't contain any whitespaces?

OVERLORD commented

2025-10-09 16:49:59 +03:00

@stonith404 commented on GitHub:

Thanks for reporting but I can't reproduce this. Can you enable the debug logs of Portainer (e.g docker run -d -p 8000:8000 -p 9443:9443 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce --log-level=DEBUG) and share the logs of Pocket ID and Portainer?

My configuration looks like this:

@stonith404 commented on GitHub: Thanks for reporting but I can't reproduce this. Can you enable the debug logs of Portainer (e.g `docker run -d -p 8000:8000 -p 9443:9443 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce --log-level=DEBUG`) and share the logs of Pocket ID and Portainer? My configuration looks like this: ![Screenshot 2024-10-11 at 20 35 28@2x](https://github.com/user-attachments/assets/c1bad55e-25b9-402a-a6a3-6ac739facd23)

OVERLORD commented

2025-10-09 16:50:00 +03:00

@stonith404 commented on GitHub:

Any updates?

@stonith404 commented on GitHub: Any updates?

OVERLORD commented

2025-10-09 16:50:00 +03:00

@alec-hs commented on GitHub:

I can confirm I have this same issue - will get the logs as requested above for a second source for you to look at.

@alec-hs commented on GitHub: I can confirm I have this same issue - will get the logs as requested above for a second source for you to look at.

OVERLORD commented

2025-10-09 16:50:01 +03:00

@javijuji commented on GitHub:

Thank you both for following through on this. Sorry for not replying earlier. I decided to regenerate the secret and doublecheck the callback URL and it is working correctly now.

@javijuji commented on GitHub: Thank you both for following through on this. Sorry for not replying earlier. I decided to regenerate the secret and doublecheck the callback URL and it is working correctly now.

OVERLORD commented

2025-10-09 16:50:01 +03:00

@UncleArya commented on GitHub:

So the development branch helped since it showed that it was passing a secret but it was a completely different format to what would have been expected. I spun up a new test instance of Portainer and it worked fine there. Looks to be an issue with my Portainer instance. Can close this issue now.

Hey @alec-hs sorry for the random reply on a closed issue, but I have come across the same issue getting Pocket-ID working with Portainer the same way as you. Are you able to remember what you needed to change with your Portainer instance to get it working with Pocket-ID? Thanks!

@UncleArya commented on GitHub: > So the development branch helped since it showed that it was passing a secret but it was a completely different format to what would have been expected. I spun up a new test instance of Portainer and it worked fine there. Looks to be an issue with my Portainer instance. Can close this issue now. Hey @alec-hs sorry for the random reply on a closed issue, but I have come across the same issue getting Pocket-ID working with Portainer the same way as you. Are you able to remember what you needed to change with your Portainer instance to get it working with Pocket-ID? Thanks!

OVERLORD commented

2025-10-09 16:50:02 +03:00

@alec-hs commented on GitHub:

Sure, will give this a go later today. I'm hoping it is just me missing something but this is the only app that I'm using Pocket ID with that is having the issue.

@alec-hs commented on GitHub: Sure, will give this a go later today. I'm hoping it is just me missing something but this is the only app that I'm using Pocket ID with that is having the issue.

OVERLORD commented

2025-10-09 16:50:02 +03:00

@javijuji commented on GitHub:

I believe the issue to be that making changes to the OAuth settings on portainer and saving will save a blank client secret. I did a few more changes and ended up breaking it a couple more times until I realized that I had to enter the Client Secret again before hitting Save settings (Which meant generating a new one since I am not writing those down!)

@javijuji commented on GitHub: I believe the issue to be that making changes to the OAuth settings on portainer and saving will save a blank client secret. I did a few more changes and ended up breaking it a couple more times until I realized that I had to enter the Client Secret again before hitting Save settings (Which meant generating a new one since I am not writing those down!)

OVERLORD commented

2025-10-09 16:50:02 +03:00

@alec-hs commented on GitHub:

So the development branch helped since it showed that it was passing a secret but it was a completely different format to what would have been expected. I spun up a new test instance of Portainer and it worked fine there. Looks to be an issue with my Portainer instance. Can close this issue now.

@alec-hs commented on GitHub: So the development branch helped since it showed that it was passing a secret but it was a completely different format to what would have been expected. I spun up a new test instance of Portainer and it worked fine there. Looks to be an issue with my Portainer instance. Can close this issue now.

OVERLORD referenced this issue

2025-10-09 16:56:57 +03:00

[PR #487] [MERGED] fix: pass context to methods that were missing it #773

OVERLORD referenced this issue

2025-10-09 16:57:01 +03:00

[PR #487] fix: pass context to methods that were missing it #777

Sign in to join this conversation.