starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: CORS error for accessing the userinfo endpoint using a web client #184

New Issue
Closed
opened 2025-10-07 00:05:04 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2025-10-07 00:05:04 +03:00
Owner
Copy Link

Originally created by @simonfranken on GitHub.

Reproduction steps

  • Create an OIDC provider with the options Public Client and PKCE Enabled.
  • Configure a web frontend (in my case, Vue.js with oidc-client-ts) for using Pocket ID as the identity provider.
  • After successful authentication, the package attempts to retrieve the user information using the userinfo endpoint of Pocket ID and sends the obtained token via the Authorization header.
  • However, the response from Pocket ID does not permit the Authorization header due to a CORS error.

Expected behavior

The Pocket ID should permit the Authorization header to be included at the very least for clients that are configured as Public.
I conducted the following tests:

  • I configured Pocket ID behind a Nginx reverse proxy, which adds the Access-Control-Allow-Headers: * header to all responses. This header resolves the issue in my specific case. However, it is important to note that this is merely a workaround, as the inclusion of this header should not be applied to all responses.

Actual Behavior

Pocket ID sends a response, which does not allow the Authorization header.

Version and Environment

v1.0

Log Output

No response

Originally created by @simonfranken on GitHub. ### Reproduction steps * Create an OIDC provider with the options `Public Client` and `PKCE Enabled`. * Configure a web frontend (in my case, Vue.js with [oidc-client-ts](https://authts.github.io/oidc-client-ts/)) for using Pocket ID as the identity provider. * After successful authentication, the package attempts to retrieve the user information using the userinfo endpoint of Pocket ID and sends the obtained token via the `Authorization` header. * However, the response from Pocket ID does not permit the `Authorization` header due to a CORS error. ### Expected behavior The Pocket ID should permit the Authorization header to be included at the very least for clients that are configured as Public. I conducted the following tests: * I configured Pocket ID behind a Nginx reverse proxy, which adds the `Access-Control-Allow-Headers: *` header to all responses. This header resolves the issue in my specific case. However, it is important to note that this is merely a workaround, as the inclusion of this header should not be applied to all responses. ### Actual Behavior Pocket ID sends a response, which does not allow the `Authorization` header. ### Version and Environment v1.0 ### Log Output _No response_
OVERLORD added the bug label 2025-10-07 00:05:04 +03:00
OVERLORD commented 2025-10-07 00:05:06 +03:00
Author
Owner
Copy Link

@bfqrst commented on GitHub:

Thanks @stonith404, that did the trick for me! CORS error is gone, Netbird is able to pull the name, email and avatar! LGTM!

@bfqrst commented on GitHub: Thanks @stonith404, that did the trick for me! CORS error is gone, Netbird is able to pull the name, email and avatar! LGTM!
OVERLORD commented 2025-10-07 00:05:06 +03:00
Author
Owner
Copy Link

@bfqrst commented on GitHub:

I suppose the :next tag is not updated yet?

@bfqrst commented on GitHub: I suppose the _:next_ tag is not updated yet?
OVERLORD commented 2025-10-07 00:05:07 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

This should be fixed with b9489b5e9a. Could you test the ghcr.io/pocket-id/pocket-id:next image and let me know if it works now. Just to make sure that I don't have to whitelist more headers.

@stonith404 commented on GitHub: This should be fixed with b9489b5e9a32a2a3f54d48705e731a7bcf188d20. Could you test the `ghcr.io/pocket-id/pocket-id:next` image and let me know if it works now. Just to make sure that I don't have to whitelist more headers.
OVERLORD commented 2025-10-07 00:05:07 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Oh yeah sorry. Should be ready now.

@stonith404 commented on GitHub: Oh yeah sorry. Should be ready now.
OVERLORD commented 2025-10-07 00:05:07 +03:00
Author
Owner
Copy Link

@bfqrst commented on GitHub:

I think I also had this happen to me in conjunction with a Netbird selfhosted installation. I'll try this as well to see if it changes something...

@bfqrst commented on GitHub: I think I also had this happen to me in conjunction with a Netbird selfhosted installation. I'll try this as well to see if it changes something...
OVERLORD commented 2025-10-07 00:05:09 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Thanks for testing this so quickly. This should be fixed in v1.2.0.

@stonith404 commented on GitHub: Thanks for testing this so quickly. This should be fixed in `v1.2.0`.
OVERLORD commented 2025-10-07 00:05:09 +03:00
Author
Owner
Copy Link

@simonfranken commented on GitHub:

@stonith404 Thanks for the quick reply! I can confirm that it works just fine on my end.

@simonfranken commented on GitHub: @stonith404 Thanks for the quick reply! I can confirm that it works just fine on my end.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#184
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?