starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: JWT+ID token breaks Proxmox OIDC auth #257

New Issue
Closed
opened 2025-10-07 00:07:35 +03:00 by OVERLORD · 22 comments
OVERLORD commented 2025-10-07 00:07:35 +03:00
Owner
Copy Link

Originally created by @nervous-inhuman on GitHub.

Reproduction steps

When trying to use PocketID with Proxmox, the login/auth flow is broken

Repro:

  1. Setup Proxmox as an OIDC Client
  2. Configure Proxmox to use PocketID
  3. Try to login
  4. Fail

Expected behavior

User should get authenticated successfuly.

Actual Behavior

Configuration:
Image

Error when trying to log-in using OIDC after configuration:
Image

From the Proxmox logs, you can see this error:

pvedaemon[280768]: openid authentication failure; rhost=<ip> msg=Failed to verify ID token: Unsupported: unexpected or unsupported JWT type `ID+JWT`

Which seems to come from here:
57b0477657/proxmox-openid/src/lib.rs (L214)

and here:
https://github.com/ramosbugs/openidconnect-rs/blob/main/src/verification/mod.rs#L248

This was previously working, and only broke after the upgrade to Pocket ID 0.46.0.

Version and Environment

Pocket ID 0.46.0
Proxmox 8.4.1

Log Output

No response

Originally created by @nervous-inhuman on GitHub. ### Reproduction steps When trying to use PocketID with Proxmox, the login/auth flow is broken Repro: 1. Setup Proxmox as an OIDC Client 2. Configure Proxmox to use PocketID 3. Try to login 4. Fail ### Expected behavior User should get authenticated successfuly. ### Actual Behavior Configuration: ![Image](https://github.com/user-attachments/assets/e2182d1d-9991-41c2-ac09-9dab972e0e72) Error when trying to log-in using OIDC after configuration: ![Image](https://github.com/user-attachments/assets/a66f7ccc-7a77-453c-a0ad-7c200d20e0f7) From the Proxmox logs, you can see this error: ``` pvedaemon[280768]: openid authentication failure; rhost=<ip> msg=Failed to verify ID token: Unsupported: unexpected or unsupported JWT type `ID+JWT` ``` Which seems to come from here: https://github.com/proxmox/proxmox-rs/blob/57b0477657aa32b3b705f8a6399dbe1396da5db4/proxmox-openid/src/lib.rs#L214 and here: https://github.com/ramosbugs/openidconnect-rs/blob/main/src/verification/mod.rs#L248 This was previously working, and only broke after the upgrade to Pocket ID 0.46.0. ### Version and Environment Pocket ID 0.46.0 Proxmox 8.4.1 ### Log Output _No response_
OVERLORD added the bug label 2025-10-07 00:07:35 +03:00
OVERLORD commented 2025-10-07 00:07:37 +03:00
Author
Owner
Copy Link

@halictuz commented on GitHub:

It seems that I have the same issue.

  • This appears after clicking the OIDC button and signing in with Pocket-id.

{"error":"Failed to verify token claims. This issue may be temporary (60 seconds max).","trace":["Unsupported: unexpected or unsupported JWT type ID+JWT"]}

and

{"error":"CSRF token invalid","trace":[]}

which appears after refreshing the first site/error.

@halictuz commented on GitHub: It seems that I have the same issue. - I first thought it was a problem with Komodo ( https://github.com/moghtech/komodo ) but after reading this here, im not sure. - This issue started happening after the latest release of Pocket-id ( https://github.com/pocket-id/pocket-id/releases/tag/v0.46.0 ). --- - This appears after clicking the OIDC button and signing in with Pocket-id. `{"error":"Failed to verify token claims. This issue may be temporary (60 seconds max).","trace":["Unsupported: unexpected or unsupported JWT type `ID+JWT`"]}` and `{"error":"CSRF token invalid","trace":[]}` which appears after refreshing the first site/error.
OVERLORD commented 2025-10-07 00:07:38 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

Do we need to include a header type? I know it was done because of #405, otherwise the introspection endpoint would accept ID tokens too and not just access tokens.

What if we used a private header, not typ? Since the consumer for that property is Pocket ID itself only, we may not need to rely on the standard properties.

@ItalyPaleAle commented on GitHub: Do we _need_ to include a header type? I know it was done because of #405, otherwise the introspection endpoint would accept ID tokens too and not just access tokens. What if we used a [private header](https://datatracker.ietf.org/doc/html/rfc7515#section-4.3), not `typ`? Since the consumer for that property is Pocket ID itself only, we may not need to rely on the standard properties.
OVERLORD commented 2025-10-07 00:07:38 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@ItalyPaleAle It's not really necessary to add the type to the typ header, but that's just a recommended method.

If we don't use the typ header, wouldn't it be better to store the type inside a claim instead of a header? Working with claims is much easier than working with headers in the Jwx library.

@stonith404 commented on GitHub: @ItalyPaleAle It's not really necessary to add the type to the `typ` header, but that's just [a recommended method](https://www.rfc-editor.org/rfc/rfc8725#section-3.11). If we don't use the `typ` header, wouldn't it be better to store the type inside a claim instead of a header? Working with claims is much easier than working with headers in the Jwx library.
OVERLORD commented 2025-10-07 00:07:39 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

The issue is the JWT Content-Type header does not seem to be supported by that client, The spec allows custom header types, but not all clients accept them. We will need to find a way to make this a Header type that the spec allows.

@kmendell commented on GitHub: The issue is the JWT Content-Type header does not seem to be supported by that client, The spec allows custom header types, but not all clients accept them. We will need to find a way to make this a Header type that the spec allows.
OVERLORD commented 2025-10-07 00:07:39 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

I think this should be as easy as just changing the TokenTypes to JWT but I need to test.

@kmendell commented on GitHub: I think this should be as easy as just changing the TokenTypes to JWT but I need to test.
OVERLORD commented 2025-10-07 00:07:40 +03:00
Author
Owner
Copy Link

@404alex commented on GitHub:

Having the same issue with Proxmox and Portainer. Also using Outline but that login is still working.

For some reason, portainer was working fine for me... I don't have Proxmox, so can't test that. My version: Portainer Business Edition 2.27.4 LTS

@404alex commented on GitHub: > Having the same issue with Proxmox and Portainer. Also using Outline but that login is still working. For some reason, portainer was working fine for me... I don't have Proxmox, so can't test that. My version: `Portainer Business Edition 2.27.4 LTS`
OVERLORD commented 2025-10-07 00:07:41 +03:00
Author
Owner
Copy Link

@RR3US commented on GitHub:

Having the same issue with Proxmox and Portainer. Also using Outline but that login is still working.

For some reason, portainer was working fine for me... I don't have Proxmox, so can't test that. My version: Portainer Business Edition 2.27.4 LTS

Same version:

Image

@RR3US commented on GitHub: > > Having the same issue with Proxmox and Portainer. Also using Outline but that login is still working. > > For some reason, portainer was working fine for me... I don't have Proxmox, so can't test that. My version: `Portainer Business Edition 2.27.4 LTS` Same version: ![Image](https://github.com/user-attachments/assets/ef76ed6d-e270-4c93-b846-824c7864d042)
OVERLORD commented 2025-10-07 00:07:41 +03:00
Author
Owner
Copy Link

@RR3US commented on GitHub:

Having the same issue with Proxmox and Portainer.
Also using Outline but that login is still working.

@RR3US commented on GitHub: Having the same issue with Proxmox and Portainer. Also using Outline but that login is still working.
OVERLORD commented 2025-10-07 00:07:41 +03:00
Author
Owner
Copy Link

@404alex commented on GitHub:

having same issue with stirling pdf. https://github.com/Stirling-Tools/Stirling-PDF. Was working fine before 0.46.0.

Image

@404alex commented on GitHub: having same issue with stirling pdf. https://github.com/Stirling-Tools/Stirling-PDF. Was working fine before 0.46.0. ![Image](https://github.com/user-attachments/assets/8645b59e-0b51-4299-9cc4-d64e12f7d688)
OVERLORD commented 2025-10-07 00:07:41 +03:00
Author
Owner
Copy Link

@tupcakes commented on GitHub:

is there a way to rollback to a previous version until this is fixed? I tried using the v0.45 tag, but it fails with:

Creating user and group...                                                                                                                                                                                                               │
│ passwd: password for pocket-id is unchanged                                                                                                                                                                                              │
│ Changing password for pocket-id                                                                                                                                                                                                          │
│ New password:                                                                                                                                                                                                                            │
│ Starting frontend...                                                                                                                                                                                                                     │
│ Starting backend...                                                                                                                                                                                                                      │
│ Starting Caddy...                                                                                                                                                                                                                        │
│ 2025/04/16 13:54:10 failed to run migrations: failed to apply migrations: no migration found for version 20250408120918: read down for version 20250408120918 migrations/sqlite: file does not exist
@tupcakes commented on GitHub: is there a way to rollback to a previous version until this is fixed? I tried using the v0.45 tag, but it fails with: ``` Creating user and group... │ │ passwd: password for pocket-id is unchanged │ │ Changing password for pocket-id │ │ New password: │ │ Starting frontend... │ │ Starting backend... │ │ Starting Caddy... │ │ 2025/04/16 13:54:10 failed to run migrations: failed to apply migrations: no migration found for version 20250408120918: read down for version 20250408120918 migrations/sqlite: file does not exist ```
OVERLORD commented 2025-10-07 00:07:42 +03:00
Author
Owner
Copy Link

@RR3US commented on GitHub:

@RR3US Are you sure pocket id has updated? What are the logs from portainer?

Image
It just says authentication failure. Where can I find detailed log?

Image

@RR3US commented on GitHub: > [@RR3US](https://github.com/RR3US) Are you sure pocket id has updated? What are the logs from portainer? ![Image](https://github.com/user-attachments/assets/24fb8ae4-a866-4d0f-9db7-2e0fb5888205) It just says authentication failure. Where can I find detailed log? ![Image](https://github.com/user-attachments/assets/157f474e-cfbd-4f9f-b339-8c8caadf8066)
OVERLORD commented 2025-10-07 00:07:43 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@stonith404 Will create a quick fix for this sometime today i think, We were talking about it last night.

@kmendell commented on GitHub: @stonith404 Will create a quick fix for this sometime today i think, We were talking about it last night.
OVERLORD commented 2025-10-07 00:07:43 +03:00
Author
Owner
Copy Link

@RR3US commented on GitHub:

This should be fixed in v0.47.0.

Still not working for me in v.0.47.0.

Image

@RR3US commented on GitHub: > This should be fixed in `v0.47.0`. Still not working for me in v.0.47.0. ![Image](https://github.com/user-attachments/assets/d3c405b1-1e6b-421a-99ab-b7d68962bb21)
OVERLORD commented 2025-10-07 00:07:43 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

This should be fixed in v0.47.0.

@stonith404 commented on GitHub: This should be fixed in `v0.47.0`.
OVERLORD commented 2025-10-07 00:07:43 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@RR3US Are you sure pocket id has updated? What are the logs from portainer?

@kmendell commented on GitHub: @RR3US Are you sure pocket id has updated? What are the logs from portainer?
OVERLORD commented 2025-10-07 00:07:44 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Whats your username claim set to in portainer?

@kmendell commented on GitHub: Whats your username claim set to in portainer?
OVERLORD commented 2025-10-07 00:07:44 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

can you try fulling restarting portainer, and see if the same error happens?

@kmendell commented on GitHub: can you try fulling restarting portainer, and see if the same error happens?
OVERLORD commented 2025-10-07 00:07:45 +03:00
Author
Owner
Copy Link

@RR3US commented on GitHub:

I meant run docker logs portainer -f and then try to sign in and see what the logs says sorry i should have clarified.

ERR github.com/portainer/portainer-ee/api/oauth/oauth.go:48 > failed retrieving username | error="failed to extract username from oauth resource"

@RR3US commented on GitHub: > I meant run `docker logs portainer -f` and then try to sign in and see what the logs says sorry i should have clarified. `ERR github.com/portainer/portainer-ee/api/oauth/oauth.go:48 > failed retrieving username | error="failed to extract username from oauth resource" `
OVERLORD commented 2025-10-07 00:07:45 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

I meant run docker logs portainer -f and then try to sign in and see what the logs says sorry i should have clarified.

@kmendell commented on GitHub: I meant run `docker logs portainer -f` and then try to sign in and see what the logs says sorry i should have clarified.
OVERLORD commented 2025-10-07 00:07:45 +03:00
Author
Owner
Copy Link

@RR3US commented on GitHub:

You mean this one?

Image

@RR3US commented on GitHub: You mean this one? ![Image](https://github.com/user-attachments/assets/15c9283b-e01e-4f49-9c70-6019ad8acb1e)
OVERLORD commented 2025-10-07 00:07:46 +03:00
Author
Owner
Copy Link

@RR3US commented on GitHub:

can you try fulling restarting portainer, and see if the same error happens?

Already tried. full system reboot.
It is strange because my proxmox is working again. But portainer was also working before v0.45.0

@RR3US commented on GitHub: > can you try fulling restarting portainer, and see if the same error happens? Already tried. full system reboot. It is strange because my proxmox is working again. But portainer was also working before v0.45.0
OVERLORD commented 2025-10-07 00:07:46 +03:00
Author
Owner
Copy Link

@RR3US commented on GitHub:

I will try to spin up a new instance of PocketID tomorrow, see if it helps.

@RR3US commented on GitHub: I will try to spin up a new instance of PocketID tomorrow, see if it helps.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#257
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?