starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: invalid callback URL, it might be necessary for an admin to fix this #250

New Issue
Closed
opened 2025-10-07 00:07:17 +03:00 by OVERLORD · 16 comments
OVERLORD commented 2025-10-07 00:07:17 +03:00
Owner
Copy Link

Originally created by @adrianipopescu on GitHub.

Reproduction steps

After updating to 0.48.0 all applications suddenly give invalid callback url, even those with no callback url enforced

Expected behavior

It should accept the redirect url provided by the client

Actual Behavior

In the logs and in the UI I see invalid callback URL, it might be necessary for an admin to fix this

Version and Environment

v0.48.0 docker

Log Output

[GIN] 2025/04/18 - 21:59:36 | 400 |     777.256µs |   192.168.1.127 | POST     "/api/oidc/authorize"
Error #01: invalid callback URL, it might be necessary for an admin to fix this
[GIN] 2025/04/18 - 21:59:36 | 400 |     790.021µs |   192.168.1.127 | POST     "/api/oidc/authorize"
Error #01: invalid callback URL, it might be necessary for an admin to fix this
Originally created by @adrianipopescu on GitHub. ### Reproduction steps After updating to 0.48.0 all applications suddenly give invalid callback url, even those with no callback url enforced ### Expected behavior It should accept the redirect url provided by the client ### Actual Behavior In the logs and in the UI I see invalid callback URL, it might be necessary for an admin to fix this ### Version and Environment v0.48.0 docker ### Log Output ``` [GIN] 2025/04/18 - 21:59:36 | 400 | 777.256µs | 192.168.1.127 | POST "/api/oidc/authorize" Error #01: invalid callback URL, it might be necessary for an admin to fix this [GIN] 2025/04/18 - 21:59:36 | 400 | 790.021µs | 192.168.1.127 | POST "/api/oidc/authorize" Error #01: invalid callback URL, it might be necessary for an admin to fix this ```
OVERLORD added the bug label 2025-10-07 00:07:17 +03:00
OVERLORD commented 2025-10-07 00:07:19 +03:00
Author
Owner
Copy Link

@adrianipopescu commented on GitHub:

The callback url is sent when initiating the oidc auth request to pocket-id and I can see it in the query string, but pocket-id says it is invalid if the oidc client app doesn't explicitly have a matching one.

We understand the security implications, and it was accepted as a valid risk.

@adrianipopescu commented on GitHub: The callback url is sent when initiating the oidc auth request to pocket-id and I can see it in the query string, but pocket-id says it is invalid if the oidc client app doesn't explicitly have a matching one. We understand the security implications, and it was accepted as a valid risk.
OVERLORD commented 2025-10-07 00:07:19 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

What does one of your clients having the issue look like?

@kmendell commented on GitHub: What does one of your clients having the issue look like?
OVERLORD commented 2025-10-07 00:07:19 +03:00
Author
Owner
Copy Link

@adrianipopescu commented on GitHub:

Ok, so empty callback urls don't work, setting them manually in the oidc client config does.

@adrianipopescu commented on GitHub: Ok, so empty callback urls don't work, setting them manually in the oidc client config does.
OVERLORD commented 2025-10-07 00:07:20 +03:00
Author
Owner
Copy Link

@adrianipopescu commented on GitHub:

Use case: application has dynamically generated urls and domains i.e.: internal wikis shared with clients but want to consolidate use a single app in pocket-id since it's a shared environment that everybody has access to, forward auth via traefik plugin allows the app to handle role management + info from oidc (in the dev branch)

@adrianipopescu commented on GitHub: Use case: application has dynamically generated urls and domains i.e.: internal wikis shared with clients but want to consolidate use a single app in pocket-id since it's a shared environment that everybody has access to, forward auth via traefik plugin allows the app to handle role management + info from oidc (in the dev branch)
OVERLORD commented 2025-10-07 00:07:21 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Why would one not define a callback url? The is required so the OIDC provider knows where to send the access_token and redirect back too

Maybe im missing something though.

@kmendell commented on GitHub: Why would one not define a callback url? The is required so the OIDC provider knows where to send the access_token and redirect back too Maybe im missing something though.
OVERLORD commented 2025-10-07 00:07:21 +03:00
Author
Owner
Copy Link

@nikdoof commented on GitHub:

I had similar with kubelogin with my Kubernetes cluster, Adding a callback URL of '*' 'fixes' it, insecure, sure, but it resolves the issue of dynamic endpoints for redirects.

Also, is callback URL the correct name here? Isn't it redirect URI in the spec? Or am I getting confused.

@nikdoof commented on GitHub: I had similar with [kubelogin](https://github.com/int128/kubelogin) with my Kubernetes cluster, Adding a callback URL of '*' 'fixes' it, insecure, sure, but it resolves the issue of dynamic endpoints for redirects. Also, is callback URL the correct name here? Isn't it redirect URI in the spec? Or am I getting confused.
OVERLORD commented 2025-10-07 00:07:21 +03:00
Author
Owner
Copy Link

@adrianipopescu commented on GitHub:

A colleague just mentioned it currently causes issues with opkssh, since it's awkward to configure http://localhost:3000 as the callback url.

@adrianipopescu commented on GitHub: A colleague just mentioned it currently causes issues with opkssh, since it's awkward to configure http://localhost:3000 as the callback url.
OVERLORD commented 2025-10-07 00:07:22 +03:00
Author
Owner
Copy Link

@adrianipopescu commented on GitHub:

For now we're going to stick to v0.46.0 as that doesn't cause issues when not configuring the callback url explicitly on pocket-id's side

@adrianipopescu commented on GitHub: For now we're going to stick to v0.46.0 as that doesn't cause issues when not configuring the callback url explicitly on pocket-id's side
OVERLORD commented 2025-10-07 00:07:22 +03:00
Author
Owner
Copy Link

@adrianipopescu commented on GitHub:

Alternate scenario we could go with if the project decides to enforce configuring callback urls, is to add/remove them dynamically via the api when a new client/project combo changes

@adrianipopescu commented on GitHub: Alternate scenario we could go with if the project decides to enforce configuring callback urls, is to add/remove them dynamically via the api when a new client/project combo changes
OVERLORD commented 2025-10-07 00:07:22 +03:00
Author
Owner
Copy Link

@adrianipopescu commented on GitHub:

In this case might I suggest empty = *, as the field isn’t marked as required on the ui, with maybe an orange div popping up that informs the user of the risks

@adrianipopescu commented on GitHub: In this case might I suggest empty = *, as the field isn’t marked as required on the ui, with maybe an orange div popping up that informs the user of the risks
OVERLORD commented 2025-10-07 00:07:23 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

I'm closing this because this seems fixed by using a wildcard.

The next release will force an user to enter at least one callback URL and there will be a note that wilcards are supported.

@stonith404 commented on GitHub: I'm closing this because this seems fixed by using a wildcard. The next release will force an user to enter at least one callback URL and there will be a note that wilcards are supported.
OVERLORD commented 2025-10-07 00:07:23 +03:00
Author
Owner
Copy Link

@nikdoof commented on GitHub:

@schongewusst99 Headscale's callback/redirect Url should /oidc/callback so https://hs.example.com/oidc/callback

@nikdoof commented on GitHub: @schongewusst99 Headscale's callback/redirect Url should `/oidc/callback` so `https://hs.example.com/oidc/callback`
OVERLORD commented 2025-10-07 00:07:23 +03:00
Author
Owner
Copy Link

@nikdoof commented on GitHub:

From experience of other systems, Authentik has it that undefined then on the first attempt it'll populate the Redirect URI with the first request it gets, this covers the vast majority of apps quite well, but always ended tripping people up when due to a incorrect app config they end up with a HTTP url or a internal, non-routable address.

I'd say the best way would be to either make the field required so people always input the value and understand it meaning, or put a explicit warning saying that blank will reject all callback URLs

@nikdoof commented on GitHub: From experience of other systems, Authentik has it that undefined then on the first attempt it'll populate the Redirect URI with the first request it gets, this covers the vast majority of apps quite well, but always ended tripping people up when due to a incorrect app config they end up with a HTTP url or a internal, non-routable address. I'd say the best way would be to either make the field required so people always input the value and understand it meaning, or put a explicit warning saying that blank will reject all callback URLs
OVERLORD commented 2025-10-07 00:07:24 +03:00
Author
Owner
Copy Link

@schongewusst99 commented on GitHub:

Hello everyone,
I'm using Pocket-ID, among other things, with headplane and headscale. All callbacks are correctly set up in the respective OIDC clients as https://hs.example.com/admin and https://hs.example.com. After upgrading from version v0.46.0 to v0.48.0, headscale stopped working. The issue described by the original reporter is occurring, but headplane continues to run flawlessly.

If I add * as a callback, I do get redirected successfully by Pocket-ID without the callback error, but then I correctly receive an "internal server error" from headscale, since Pocket-ID, of course, doesn't return a specific callback URL.

@schongewusst99 commented on GitHub: Hello everyone, I'm using Pocket-ID, among other things, with headplane and headscale. All callbacks are correctly set up in the respective OIDC clients as https://hs.example.com/admin and https://hs.example.com. After upgrading from version v0.46.0 to v0.48.0, headscale stopped working. The issue described by the original reporter is occurring, but headplane continues to run flawlessly. If I add * as a callback, I do get redirected successfully by Pocket-ID without the callback error, but then I correctly receive an "internal server error" from headscale, since Pocket-ID, of course, doesn't return a specific callback URL.
OVERLORD commented 2025-10-07 00:07:24 +03:00
Author
Owner
Copy Link

@adrianipopescu commented on GitHub:

Thanks for this

@adrianipopescu commented on GitHub: Thanks for this
OVERLORD commented 2025-10-07 00:07:25 +03:00
Author
Owner
Copy Link

@jsapede commented on GitHub:

facing similar problem with wkijs i've implemented the wildcard.
but i doesnt understand what is the base prblems and the implications of the wildcard. someone could explain it in 2 lines ?

@jsapede commented on GitHub: facing similar problem with wkijs i've implemented the wildcard. but i doesnt understand what is the base prblems and the implications of the wildcard. someone could explain it in 2 lines ?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#250
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?