starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🚀 Feature: Allow setting additional origins #299

New Issue
Closed
opened 2025-10-07 00:09:25 +03:00 by OVERLORD · 23 comments
OVERLORD commented 2025-10-07 00:09:25 +03:00
Owner
Copy Link

Originally created by @andreas-soroko on GitHub.

Originally assigned to: @stonith404 on GitHub.

Feature description

a possibility to extend the Access-Control-Allow-Origin header to allow other origins

  • via env
  • or even better: use the OIDC Clients -> Callback URLs (remove subpath if necessary) and allow them by default.
    • the urls defined there already have the permission to login, they should also be allowed to use the other endpoints (wellknown/userinfo)

Pitch

I have Pocket Id running via Docker and is accessible at https://auth.dev.localhost which is fine and a frontend (React / SPA) running at https://apps.dev.localhost.
I also have an oidc client configured with the “public” flag enabled and wanted to add the client to the frontend for authentication. for this I am using oidc-react.
now the lib tries to reach the .well-known/openid-configuration endpoint to load the metadata but this does not work because the Access-Control-Allow-Origin header only allows the PUBLIC_APP_URL which points to https://auth.dev.localhost - the same for the other endpoints like the userinfo endpoint.

so it is actually hardly possible to use the provider in the frontend in a decent way

Originally created by @andreas-soroko on GitHub. Originally assigned to: @stonith404 on GitHub. ### Feature description a possibility to extend the `Access-Control-Allow-Origin` header to allow other origins - via env - or even better: use the `OIDC Clients -> Callback URLs` (remove subpath if necessary) and allow them by default. - the urls defined there already have the permission to login, they should also be allowed to use the other endpoints (wellknown/userinfo) ### Pitch I have Pocket Id running via Docker and is accessible at `https://auth.dev.localhost` which is fine and a frontend (React / SPA) running at `https://apps.dev.localhost`. I also have an oidc client configured with the “public” flag enabled and wanted to add the client to the frontend for authentication. for this I am using oidc-react. now the lib tries to reach the `.well-known/openid-configuration` endpoint to load the metadata but this does not work because the `Access-Control-Allow-Origin` header only allows the `PUBLIC_APP_URL` which points to `https://auth.dev.localhost` - the same for the other endpoints like the userinfo endpoint. so it is actually hardly possible to use the provider in the frontend in a decent way
OVERLORD added the feature label 2025-10-07 00:09:25 +03:00
OVERLORD commented 2025-10-07 00:09:28 +03:00
Author
Owner
Copy Link

@andreas-soroko commented on GitHub:

other clients can reach out to the well-knwon controller right?

If it's a backend application, yop because they don't check the header.

You can simply test it your self - create any frontend application (should not on the same domain) and try to do the login via js code.
If I let my backend serve my frontend (instead of nginx) and secure / via the backend (.NET) - yep then it works because it doesn't check the header.

But that's not what my setup looks like.
my frontend runs in a nginx container on apps.*, my backend on api.*
I had everything running with zitadel before and wanted to try something slightly more lightweight but without this setting option and token introspection (which looks like isn't support either), pocket-id is probably not for me

@andreas-soroko commented on GitHub: > other clients can reach out to the well-knwon controller right? If it's a backend application, yop because they don't check the header. You can simply test it your self - create any frontend application (should not on the same domain) and try to do the login via js code. If I let my backend serve my frontend (instead of nginx) and secure `/` via the backend (.NET) - yep then it works because it doesn't check the header. But that's not what my setup looks like. my frontend runs in a nginx container on `apps.*`, my backend on `api.*` I had everything running with zitadel before and wanted to try something slightly more lightweight but without this setting option and token introspection (which looks like isn't support either), pocket-id is probably not for me
OVERLORD commented 2025-10-07 00:09:28 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@stonith404 Can you provide insight here? Something isnt adding up to me , it could be cause its 1am, but still want you to read over as well.

@kmendell commented on GitHub: @stonith404 Can you provide insight here? Something isnt adding up to me , it could be cause its 1am, but still want you to read over as well.
OVERLORD commented 2025-10-07 00:09:28 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Yeah CORS aren't handled correctly at the moment. We have to find a good solution for this. It probably makes sense to add allowed origin for public clients.

@stonith404 commented on GitHub: Yeah CORS aren't handled correctly at the moment. We have to find a good solution for this. It probably makes sense to add allowed origin for public clients.
OVERLORD commented 2025-10-07 00:09:29 +03:00
Author
Owner
Copy Link

@andreas-soroko commented on GitHub:

maybe some additional info:
i looked at what zitadel is doing at this point (because i thought i might be wrong?).
they always respond in the header (./wellknown/userinfo) with the domain that is doing the request.

and have tested it with 2 configured clients with different domains (client1 = apps1.dev.localhost, client2 = apps2.dev.localhost)

  • if app1.* tries to login with client1 credentials, the header contains apps1.dev.localhost
  • if app1.* tries to login with client2 credentials, the header contains apps1.dev.localhost
    • but of course didn't worked because the callback url was wrong

tried then just for fun - visiting google.com opening dev console and tried fetch('https://auth.dev.localhost/.well-known/openid-configuration') and it responded with https://www.google.com

I am currently not sure what the correct implementation would look like or how other providers have solved this problem. I only know that it also worked with Keycloak as well - might try that again if I have some time.

  1. the header = Access-Control-Allow-Origin
@andreas-soroko commented on GitHub: maybe some additional info: i looked at what zitadel is doing at this point (because i thought i might be wrong?). they always respond in the header (./wellknown/userinfo) with the domain that is doing the request. and have tested it with 2 configured clients with different domains (`client1 = apps1.dev.localhost`, `client2 = apps2.dev.localhost`) - if `app1.*` tries to login with `client1` credentials, the header contains `apps1.dev.localhost` - if `app1.*` tries to login with `client2` credentials, the header contains `apps1.dev.localhost` - but of course didn't worked because the callback url was wrong tried then just for fun - visiting `google.com` opening dev console and tried `fetch('https://auth.dev.localhost/.well-known/openid-configuration')` and it responded with `https://www.google.com` I am currently not sure what the correct implementation would look like or how other providers have solved this problem. I only know that it also worked with Keycloak as well - might try that again if I have some time. --- 1) `the header` = `Access-Control-Allow-Origin`
OVERLORD commented 2025-10-07 00:09:29 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

After thinking more about this, it doesn't make sense, other clients can reach out to the well-knwon controller right? its only this one having the issue?

@kmendell commented on GitHub: After thinking more about this, it doesn't make sense, other clients can reach out to the well-knwon controller right? its only this one having the issue?
OVERLORD commented 2025-10-07 00:09:30 +03:00
Author
Owner
Copy Link

@paulgreg commented on GitHub:

I’ve got the same problem.
I’ve managed to make it work by adding the below configuration in nginx. However, it only works for a single client host so it would be great to be able to configure it client by client.

proxy_hide_header Access-Control-Allow-headers;
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin 'htttps://myapp.com' always;
@paulgreg commented on GitHub: I’ve got the same problem. I’ve managed to make it work by adding the below configuration in nginx. However, it only works for a single client host so it would be great to be able to configure it client by client. ``` proxy_hide_header Access-Control-Allow-headers; proxy_hide_header Access-Control-Allow-Origin; add_header Access-Control-Allow-Origin 'htttps://myapp.com' always; ```
OVERLORD commented 2025-10-07 00:09:31 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

If I understood correctly, Pocket-ID for now doesn't support Single Page Applications which follow this draft RFC and basically obtain access/refresh tokens themselves. You need to manually set CORS headers?

@savely-krasovsky commented on GitHub: If I understood correctly, Pocket-ID for now doesn't support Single Page Applications which follow [this draft RFC](https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-24.html) and basically obtain access/refresh tokens themselves. You need to manually set CORS headers?
OVERLORD commented 2025-10-07 00:09:31 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

i have a SPA that i use to test the OIDC spec and it works with pocket id just fine. i think this issue is different, it still open as we need to find a good solution to CORS

@kmendell commented on GitHub: i have a SPA that i use to test the OIDC spec and it works with pocket id just fine. i think this issue is different, it still open as we need to find a good solution to CORS
OVERLORD commented 2025-10-07 00:09:31 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@stonith404 What is a ideal plan for this?

@kmendell commented on GitHub: @stonith404 What is a ideal plan for this?
OVERLORD commented 2025-10-07 00:09:31 +03:00
Author
Owner
Copy Link

@magikid commented on GitHub:

I ran into this today using Traefik in front of all my services. I created a middleware that applies the correct CORS policies to my pocket ID ingress to resolve it.

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: pocket-id-cors
  namespace: default
spec:
  headers:
    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
      - "POST"
    accessControlAllowHeaders:
      - "*"
    accessControlAllowOriginList:
      - "https://pocket-id.whatever"
      - "https://otherservice.whatever"
    accessControlMaxAge: 100
    addVaryHeader: true

I then added the annotation traefik.ingress.kubernetes.io/router.middlewares: "default-pocket-id-cors@kubernetescrd" to my pocket ID ingress and it all started working.

@magikid commented on GitHub: I ran into this today using Traefik in front of all my services. I created a middleware that applies the correct CORS policies to my pocket ID ingress to resolve it. ``` apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: pocket-id-cors namespace: default spec: headers: accessControlAllowMethods: - "GET" - "OPTIONS" - "PUT" - "POST" accessControlAllowHeaders: - "*" accessControlAllowOriginList: - "https://pocket-id.whatever" - "https://otherservice.whatever" accessControlMaxAge: 100 addVaryHeader: true ``` I then added the annotation `traefik.ingress.kubernetes.io/router.middlewares: "default-pocket-id-cors@kubernetescrd"` to my pocket ID ingress and it all started working.
OVERLORD commented 2025-10-07 00:09:32 +03:00
Author
Owner
Copy Link

@Fred-06 commented on GitHub:

Hi,

This image (ghcr.io/pocket-id/pocket-id:development-cors) is always available ?

I have similar problem I think when I try to connect Owncloud Android app to my oCIS server.

Thank's !

@Fred-06 commented on GitHub: Hi, This image (ghcr.io/pocket-id/pocket-id:development-cors) is always available ? I have similar problem I think when I try to connect Owncloud Android app to my oCIS server. Thank's !
OVERLORD commented 2025-10-07 00:09:32 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Would you mind to try the ghcr.io/pocket-id/pocket-id:development-cors image and let me know if the CORS errors are gone?

Pocket ID should now allow all origins for endpoints that are needed for SPAs.

@stonith404 commented on GitHub: Would you mind to try the `ghcr.io/pocket-id/pocket-id:development-cors` image and let me know if the CORS errors are gone? Pocket ID should now allow all origins for endpoints that are needed for SPAs.
OVERLORD commented 2025-10-07 00:09:33 +03:00
Author
Owner
Copy Link

@chrismaster commented on GitHub:

I’ve got the same problem. I’ve managed to make it work by adding the below configuration in nginx. However, it only works for a single client host so it would be great to be able to configure it client by client.

proxy_hide_header Access-Control-Allow-headers;
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin 'htttps://myapp.com' always;

use $http_origin

proxy_hide_header Access-Control-Allow-headers;
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin "$http_origin";
@chrismaster commented on GitHub: > I’ve got the same problem. I’ve managed to make it work by adding the below configuration in nginx. However, it only works for a single client host so it would be great to be able to configure it client by client. > > ``` > proxy_hide_header Access-Control-Allow-headers; > proxy_hide_header Access-Control-Allow-Origin; > add_header Access-Control-Allow-Origin 'htttps://myapp.com' always; > ``` use **$http_origin** ``` proxy_hide_header Access-Control-Allow-headers; proxy_hide_header Access-Control-Allow-Origin; add_header Access-Control-Allow-Origin "$http_origin"; ```
OVERLORD commented 2025-10-07 00:09:33 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

I had an experience to configure OpenCloud SPA and in fact it does require me to setup addition CORS header for Pocket ID.

@savely-krasovsky commented on GitHub: I had an experience to configure OpenCloud SPA and in fact it does require me to setup addition CORS header for Pocket ID.
OVERLORD commented 2025-10-07 00:09:33 +03:00
Author
Owner
Copy Link

@magikid commented on GitHub:

Would you mind to try the ghcr.io/pocket-id/pocket-id:development-cors image and let me know if the CORS errors are gone?

Pocket ID should now allow all origins for endpoints that are needed for SPAs.

I deployed that image out and it seems to fix the CORS issue for me.

@magikid commented on GitHub: > Would you mind to try the `ghcr.io/pocket-id/pocket-id:development-cors` image and let me know if the CORS errors are gone? > > Pocket ID should now allow all origins for endpoints that are needed for SPAs. I deployed that image out and it seems to fix the CORS issue for me.
OVERLORD commented 2025-10-07 00:09:34 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

@Fred-06 this should be fixed. At least in my OpenCloud (oCIS fork) it's now works without any quirks.

@savely-krasovsky commented on GitHub: @Fred-06 this should be fixed. At least in my OpenCloud (oCIS fork) it's now works without any quirks.
OVERLORD commented 2025-10-07 00:09:34 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

@C8opmBM you need to create clients for every client:

Image

Then you need to edit every Client ID and callback URLs to match OpenCloud documentation:

Image

For example desktop requires those callback URLs:

Image

Then I customized settings a bit to use opencloud_role claim:

# Pocket-ID related
Environment=PROXY_OIDC_REWRITE_WELLKNOWN=true
Environment=PROXY_AUTOPROVISION_ACCOUNTS=true
Environment=PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
Environment=PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=opencloud_role
Environment=OC_OIDC_ISSUER=https://id.${base_domain}
Environment=OC_EXCLUDE_RUN_SERVICES=idp

And set opencloud_role claim to opencloudAdmin value.

@savely-krasovsky commented on GitHub: @C8opmBM you need to create clients for every client: ![Image](https://github.com/user-attachments/assets/daba5432-2db5-421c-84f5-012d4df78831) Then you need to edit every Client ID and callback URLs to match OpenCloud documentation: ![Image](https://github.com/user-attachments/assets/9a688b92-0256-4044-ae80-1f82ea79c505) For example desktop requires those callback URLs: ![Image](https://github.com/user-attachments/assets/aeeb4a03-a079-463f-9beb-1057f7ae5021) Then I customized settings a bit to use `opencloud_role` claim: ``` # Pocket-ID related Environment=PROXY_OIDC_REWRITE_WELLKNOWN=true Environment=PROXY_AUTOPROVISION_ACCOUNTS=true Environment=PROXY_ROLE_ASSIGNMENT_DRIVER=oidc Environment=PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=opencloud_role Environment=OC_OIDC_ISSUER=https://id.${base_domain} Environment=OC_EXCLUDE_RUN_SERVICES=idp ``` And set `opencloud_role` claim to `opencloudAdmin` value.
OVERLORD commented 2025-10-07 00:09:35 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

@C8opmBM web, desktop and iOS works for me. They didn't release Android app yet, so I cannot confirm it.

@savely-krasovsky commented on GitHub: @C8opmBM web, desktop and iOS works for me. They didn't release Android app yet, so I cannot confirm it.
OVERLORD commented 2025-10-07 00:09:35 +03:00
Author
Owner
Copy Link

@C8opmBM commented on GitHub:

@savely-krasovsky wow, I didn't think that was possible yet. Would you share your desktop config/tutorial or make a comment here?
Thanks

@C8opmBM commented on GitHub: @savely-krasovsky wow, I didn't think that was possible yet. Would you share your desktop config/tutorial or make a comment [here](https://github.com/orgs/opencloud-eu/discussions/1018)? Thanks
OVERLORD commented 2025-10-07 00:09:36 +03:00
Author
Owner
Copy Link

@C8opmBM commented on GitHub:

@savely-krasovsky - do you have all your opencloud clients working? web, desktop, android/ios?
I edited the client IDs but still only the web client works.

@C8opmBM commented on GitHub: @savely-krasovsky - do you have all your opencloud clients working? web, desktop, android/ios? I edited the client IDs but still only the web client works.
OVERLORD commented 2025-10-07 00:09:36 +03:00
Author
Owner
Copy Link

@C8opmBM commented on GitHub:

Amazing!!! This little bit made the difference for me, the :* after 127...
Now it works!

Thank you! I will update my guide in the opencloud discussion.

@C8opmBM commented on GitHub: Amazing!!! This little bit made the difference for me, the `:*` after `127...` Now it works! Thank you! I will update my guide in the opencloud discussion.
OVERLORD commented 2025-10-07 00:09:37 +03:00
Author
Owner
Copy Link

@savely-krasovsky commented on GitHub:

@C8opmBM usually http://127.0.0.1 is treated as special case for native applications, since they use random port. But Pocket-ID doesn't handle it unfortunately (I believe it should be fixed, since * could lead to potential vulnerabilities).

@savely-krasovsky commented on GitHub: @C8opmBM usually `http://127.0.0.1` is treated as special case for native applications, since they use random port. But Pocket-ID doesn't handle it unfortunately (I believe it should be fixed, since `*` could lead to potential vulnerabilities).
OVERLORD commented 2025-10-07 00:09:37 +03:00
Author
Owner
Copy Link

@FrankelJb commented on GitHub:

@C8opmBM you need to create clients for every client:

Image

Then you need to edit every Client ID and callback URLs to match OpenCloud documentation:

Image

For example desktop requires those callback URLs:

Image

Then I customized settings a bit to use opencloud_role claim:

# Pocket-ID related
Environment=PROXY_OIDC_REWRITE_WELLKNOWN=true
Environment=PROXY_AUTOPROVISION_ACCOUNTS=true
Environment=PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
Environment=PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=opencloud_role
Environment=OC_OIDC_ISSUER=https://id.${base_domain}
Environment=OC_EXCLUDE_RUN_SERVICES=idp

And set opencloud_role claim to opencloudAdmin value.

Is it possible to set the IOS_CLIENT_ID as an environment variable? I can’t see a way to set the client id to OpenCloudIOS in pocket as the OC docs explain

@FrankelJb commented on GitHub: > [@C8opmBM](https://github.com/C8opmBM) you need to create clients for every client: > > ![Image](https://github.com/user-attachments/assets/daba5432-2db5-421c-84f5-012d4df78831) > > Then you need to edit every Client ID and callback URLs to match OpenCloud documentation: > > ![Image](https://github.com/user-attachments/assets/9a688b92-0256-4044-ae80-1f82ea79c505) > > For example desktop requires those callback URLs: > > ![Image](https://github.com/user-attachments/assets/aeeb4a03-a079-463f-9beb-1057f7ae5021) > > Then I customized settings a bit to use `opencloud_role` claim: > > ``` > # Pocket-ID related > Environment=PROXY_OIDC_REWRITE_WELLKNOWN=true > Environment=PROXY_AUTOPROVISION_ACCOUNTS=true > Environment=PROXY_ROLE_ASSIGNMENT_DRIVER=oidc > Environment=PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=opencloud_role > Environment=OC_OIDC_ISSUER=https://id.${base_domain} > Environment=OC_EXCLUDE_RUN_SERVICES=idp > ``` > > And set `opencloud_role` claim to `opencloudAdmin` value. Is it possible to set the IOS_CLIENT_ID as an environment variable? I can’t see a way to set the client id to OpenCloudIOS in pocket as the OC docs explain
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#299
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?