🐛 Bug Report: Callback url containing pound symbol #427

New Issue

OVERLORD · 2025-10-07T00:14:33+03:00

OVERLORD commented

2025-10-07 00:14:33 +03:00

Originally created by @ashiksmd on GitHub.

Reproduction steps

I am trying to setup SSO on Synology DSM. The redirect url is https://dsm-domain:5001/#/signin.
After login, I am redirected to "https://dsm-domain:5001/#/signin?code=...state=...". DSM does not recognize the parameters and sends me back to the login page.

When I used Authentik instead, I noticed that the callback url has the anchor part at the end instead like this: "https://dsm-domain:5001/?code=...&state=...#/signin" which works with Synology.

Expected behavior

Redirect urls with anchor names should have the anchor at the end of the url, after the url params.
https://dsm-domain:5001/?code=...&state=...#/signin

Actual Behavior

The callback url had the auth parameters added to the end after the anchor:
https://dsm-domain:5001/#/signin?code=...&state=...

Originally created by @ashiksmd on GitHub. ### Reproduction steps I am trying to setup SSO on Synology DSM. The redirect url is https://dsm-domain:5001/#/signin. After login, I am redirected to "https://dsm-domain:5001/#/signin?code=...state=...". DSM does not recognize the parameters and sends me back to the login page. When I used Authentik instead, I noticed that the callback url has the anchor part at the end instead like this: "https://dsm-domain:5001/?code=...&state=...#/signin" which works with Synology. ### Expected behavior Redirect urls with anchor names should have the anchor at the end of the url, after the url params. https://dsm-domain:5001/?code=...&state=...#/signin ### Actual Behavior The callback url had the auth parameters added to the end after the anchor: https://dsm-domain:5001/#/signin?code=...&state=...

OVERLORD added the bug label 2025-10-07 00:14:33 +03:00

OVERLORD closed this issue

2025-10-07 00:14:34 +03:00

OVERLORD commented

2025-10-07 00:14:37 +03:00

@stonith404 commented on GitHub:

Thanks for reporting this. This should be fixed in v0.22.0.

@stonith404 commented on GitHub: Thanks for reporting this. This should be fixed in `v0.22.0`.

OVERLORD commented

2025-10-07 00:14:37 +03:00

@ashiksmd commented on GitHub:

I set up a userscript to automatically change the redirect url like this:

// ==UserScript==
// @name         Synology fix callback after SSO
// @match        https://dsm.domain:5001/*
(function() {
    'use strict';
    const regex = /https:\/\/dsm\.domain:5001\/#\/signin\?(code=.*)/gm;
    if (!regex.test(window.location.href)) return;
    window.location.href = window.location.href.replace(regex, "https://dsm.domain:5001/?$1#/signin");
})();

This lets me login using pocket-id on desktop, but I am still not able to SSO from mobile devices where I cannot run userscripts.

@ashiksmd commented on GitHub: I set up a userscript to automatically change the redirect url like this: ``` // ==UserScript== // @name Synology fix callback after SSO // @match https://dsm.domain:5001/* (function() { 'use strict'; const regex = /https:\/\/dsm\.domain:5001\/#\/signin\?(code=.*)/gm; if (!regex.test(window.location.href)) return; window.location.href = window.location.href.replace(regex, "https://dsm.domain:5001/?$1#/signin"); })(); ``` This lets me login using pocket-id on desktop, but I am still not able to SSO from mobile devices where I cannot run userscripts.

OVERLORD referenced this issue

2025-10-07 00:22:36 +03:00

[PR #427] [MERGED] chore(translations): update translations via Crowdin #800

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#427