starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-02-05 00:39:38 +03:00
Code Issues 61 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: please write a guide to use caddy proxy before pocketid #47

New Issue
Closed
opened 2026-02-04 16:53:18 +03:00 by OVERLORD · 6 comments
OVERLORD commented 2026-02-04 16:53:18 +03:00
Owner
Copy Link

Originally created by @PaddyPat on GitHub (Oct 27, 2024).

Reproduction steps

Tried your guide, thanks for this nice tool!

Successfully auth via passkey in pocketid (pocketid behind main caddy for all my services)

If I access pocketid /.wellknown from my browser / client, I receive a 200 and see the text for auth urls.

If I use for example mealie (also behind caddy proxy) and enable oidc, I receive a 40x error

secret and key are valid, tried it several times.

maybe it would help to see a caddy example before your pocketid and mealie as oidc.

Br

Expected behavior

should work ;-)

Actual Behavior

cant auth - works direct via pocketit url but not as oidc provider

Originally created by @PaddyPat on GitHub (Oct 27, 2024). ### Reproduction steps Tried your guide, thanks for this nice tool! Successfully auth via passkey in pocketid (pocketid behind main caddy for all my services) If I access pocketid /.wellknown from my browser / client, I receive a 200 and see the text for auth urls. If I use for example mealie (also behind caddy proxy) and enable oidc, I receive a 40x error secret and key are valid, tried it several times. maybe it would help to see a caddy example before your pocketid and mealie as oidc. Br ### Expected behavior should work ;-) ### Actual Behavior cant auth - works direct via pocketit url but not as oidc provider
OVERLORD added the bug label 2026-02-04 16:53:18 +03:00
OVERLORD commented 2026-02-04 16:53:24 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub (Oct 27, 2024):

Please share the errors that you get from Mealie e.g. screenshots or logs.

@stonith404 commented on GitHub (Oct 27, 2024): Please share the errors that you get from Mealie e.g. screenshots or logs.
OVERLORD commented 2026-02-04 16:53:36 +03:00
Author
Owner
Copy Link

@PaddyPat commented on GitHub (Oct 28, 2024):

Caddyfile (my caddy proxy, not internal from this project)

#pocketid
pocketid.server01.domain.com {
    reverse_proxy http://172.17.0.1:3000

    # Enable HSTS to enforce HTTPS with a max-age of 1 year and include subdomains
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    }

    # Restrict to modern and secure TLS versions only (TLS 1.2 and 1.3)
    tls {
        protocols tls1.2 tls1.3
        ciphers TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256
    }

}

docker-compose pocket-id + .env:

services:
  pocket-id:
    image: stonith404/pocket-id:latest
    container_name: pocketid
    restart: unless-stopped
    env_file: .env
    ports:
      - 172.17.0.1:3000:80
    volumes:
      - "./data:/app/backend/data"

    networks:
      pocketid_compose:
        ipv4_address: 10.201.112.2

networks:
  pocketid_compose:
    driver: bridge
    ipam:
      config:
        - subnet: 10.201.112.0/24

#########
.env pocket-id content:

PUBLIC_APP_URL=https://pocketid.server01.domain.com
TRUST_PROXY=true

docker-compose mealie:

version: "3.1"
services:
  mealie:
    image: hkotel/mealie
    container_name: mealie
    restart: unless-stopped
    depends_on:
      - "postgres"
    ports:
      - 172.17.0.1:9925:9000
    environment:
      PUID: 1000
      PGID: 1000
      TZ: Europe/Berlin

      BASE_URL: https://mealie.server01.domain.com

      DB_ENGINE: postgres
      POSTGRES_USER: xxXXxx
      POSTGRES_PASSWORD: xxXXxx
      POSTGRES_SERVER: postgres
      POSTGRES_PORT: 5432
      POSTGRES_DB: mealie
      # WORKERS_PER_CORE: 0.5
      # MAX_WORKERS: 8
      WEB_CONCURRENCY: 2

      ALLOW_SIGNUP: "true"
      LOG_LEVEL: debug
      #OIDC PocketID
      OIDC_AUTH_ENABLED: true
      #OIDC_SIGNUP_ENABLED: true
      OIDC_CONFIGURATION_URL: https://pocketid.server01.domain.com/.well-known/openid-configuration
      OIDC_CLIENT_ID: "112a2a91xxxxx“
      OIDC_CLIENT_SECRET: „xxxxx"
#      OIDC_AUTO_REDIRECT: true
      OIDC_PROVIDER_NAME: "Pocket ID"
#      OIDC_USER_CLAIM: openid profile email
      OIDC_USER_CLAIM: "email"
      #openid profile email
      OIDC_TLS_CACERTFILE: https://pocketid.server01.domain.com/.well-known/jwks.json

    volumes:
      - ./data/:/app/data

    networks:
      mealie_compose:
        ipv4_address: 10.201.110.2

  postgres:
    container_name: postgres
    image: postgres
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: xxXXxx
      POSTGRES_USER: xxXXxx

    volumes:
      - ./postgres:/var/lib/postgresql/data

    networks:
      mealie_compose:
        ipv4_address: 10.201.110.3

networks:
  mealie_compose:
    driver: bridge
    ipam:
      config:
        - subnet: 10.201.110.0/24

ufw allow access from 10.201.110.2 to main caddy container so I can reach from mealie via curl -vv https://pocketid.server01.domain.com/.well-known/openid-configuration

log in pocket-id:

pocketid  | [GIN] 2024/10/28 - 06:48:55 | 403 |       4.733µs |   30.40.50.60 | GET      "/.well-known/openid-configuration"
pocketid  | [GIN] 2024/10/28 - 06:48:55 | 403 |      45.673µs |   30.40.50.60 | GET      "/.well-known/openid-configuration"
pocketid  | [GIN] 2024/10/28 - 06:48:57 | 403 |       4.564µs |   30.40.50.60 | GET      "/.well-known/openid-configuration"
pocketid  | [GIN] 2024/10/28 - 06:48:57 | 403 |      44.475µs |   30.40.50.60 | GET      "/.well-known/openid-configuration"

log in mealie:


mealie    | INFO     2024-10-28T07:48:55 - [30.40.50.60:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /api/app/about/startup-info HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /sw.js HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:57 - [30.40.50.60:0] 200 OK "GET /null?protocol=oauth2&response_type=code&access_type&client_id=afe8b0dXXXXXXXXXXXXXXXXXe&redirect_uri=https%3A%2F%2Fmealie.server01.domain.com%2Flogin&scope=openid%20profile%20email&state=0zdl8yzrut&code_challenge_method=S256&code_challenge=gtXXXXXXXXXXXXXXXXXXXXq2ukjY HTTP/1.1"
mealie    | INFO     2024-10-28T07:48:58 - [30.40.50.60:0] 200 OK "GET /sw.js HTTP/1.1"
mealie    | INFO     2024-10-28T07:49:16 - [127.0.0.1:55244] 200 OK "GET /api/app/about HTTP/1.1"
mealie    | INFO     2024-10-28T07:49:46 - [127.0.0.1:41778] 200 OK "GET /api/app/about HTTP/1.1"
mealie    | INFO     2024-10-28T07:50:16 - [127.0.0.1:42764] 200 OK "GET /api/app/about HTTP/1.1"

also I tried it with freshrss (also 400/403) - I can't reach /api:

pocketid | [GIN] 2024/10/28 - 07:19:53 | 403 | 375.732µs | 30.40.50.60 | POST "/api/oidc/authorize"
pocketid | [GIN] 2024/10/28 - 07:19:53 | 403 | 401.208µs | 30.40.50.60 | POST "/api/oidc/authorize"
pocketid | [GIN] 2024/10/28 - 07:19:54 | 400 | 562.693µs | 30.40.50.60 | POST "/api/oidc/authorize/new-client"
pocketid | [GIN] 2024/10/28 - 07:19:54 | 400 | 588.623µs | 30.40.50.60 | POST "/api/oidc/authorize/new-client"

@PaddyPat commented on GitHub (Oct 28, 2024): Caddyfile (my caddy proxy, not internal from this project) ``` #pocketid pocketid.server01.domain.com { reverse_proxy http://172.17.0.1:3000 # Enable HSTS to enforce HTTPS with a max-age of 1 year and include subdomains header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" } # Restrict to modern and secure TLS versions only (TLS 1.2 and 1.3) tls { protocols tls1.2 tls1.3 ciphers TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 } } ``` docker-compose pocket-id + .env: ``` services: pocket-id: image: stonith404/pocket-id:latest container_name: pocketid restart: unless-stopped env_file: .env ports: - 172.17.0.1:3000:80 volumes: - "./data:/app/backend/data" networks: pocketid_compose: ipv4_address: 10.201.112.2 networks: pocketid_compose: driver: bridge ipam: config: - subnet: 10.201.112.0/24 ######### .env pocket-id content: PUBLIC_APP_URL=https://pocketid.server01.domain.com TRUST_PROXY=true ``` docker-compose mealie: ``` version: "3.1" services: mealie: image: hkotel/mealie container_name: mealie restart: unless-stopped depends_on: - "postgres" ports: - 172.17.0.1:9925:9000 environment: PUID: 1000 PGID: 1000 TZ: Europe/Berlin BASE_URL: https://mealie.server01.domain.com DB_ENGINE: postgres POSTGRES_USER: xxXXxx POSTGRES_PASSWORD: xxXXxx POSTGRES_SERVER: postgres POSTGRES_PORT: 5432 POSTGRES_DB: mealie # WORKERS_PER_CORE: 0.5 # MAX_WORKERS: 8 WEB_CONCURRENCY: 2 ALLOW_SIGNUP: "true" LOG_LEVEL: debug #OIDC PocketID OIDC_AUTH_ENABLED: true #OIDC_SIGNUP_ENABLED: true OIDC_CONFIGURATION_URL: https://pocketid.server01.domain.com/.well-known/openid-configuration OIDC_CLIENT_ID: "112a2a91xxxxx“ OIDC_CLIENT_SECRET: „xxxxx" # OIDC_AUTO_REDIRECT: true OIDC_PROVIDER_NAME: "Pocket ID" # OIDC_USER_CLAIM: openid profile email OIDC_USER_CLAIM: "email" #openid profile email OIDC_TLS_CACERTFILE: https://pocketid.server01.domain.com/.well-known/jwks.json volumes: - ./data/:/app/data networks: mealie_compose: ipv4_address: 10.201.110.2 postgres: container_name: postgres image: postgres restart: unless-stopped environment: POSTGRES_PASSWORD: xxXXxx POSTGRES_USER: xxXXxx volumes: - ./postgres:/var/lib/postgresql/data networks: mealie_compose: ipv4_address: 10.201.110.3 networks: mealie_compose: driver: bridge ipam: config: - subnet: 10.201.110.0/24 ``` ufw allow access from 10.201.110.2 to main caddy container so I can reach from mealie via curl -vv https://pocketid.server01.domain.com/.well-known/openid-configuration log in pocket-id: ``` pocketid | [GIN] 2024/10/28 - 06:48:55 | 403 | 4.733µs | 30.40.50.60 | GET "/.well-known/openid-configuration" pocketid | [GIN] 2024/10/28 - 06:48:55 | 403 | 45.673µs | 30.40.50.60 | GET "/.well-known/openid-configuration" pocketid | [GIN] 2024/10/28 - 06:48:57 | 403 | 4.564µs | 30.40.50.60 | GET "/.well-known/openid-configuration" pocketid | [GIN] 2024/10/28 - 06:48:57 | 403 | 44.475µs | 30.40.50.60 | GET "/.well-known/openid-configuration" ``` log in mealie: ``` mealie | INFO 2024-10-28T07:48:55 - [30.40.50.60:0] 200 OK "GET /api/app/about HTTP/1.1" mealie | INFO 2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /api/app/about HTTP/1.1" mealie | INFO 2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /api/app/about/startup-info HTTP/1.1" mealie | INFO 2024-10-28T07:48:56 - [30.40.50.60:0] 200 OK "GET /sw.js HTTP/1.1" mealie | INFO 2024-10-28T07:48:57 - [30.40.50.60:0] 200 OK "GET /null?protocol=oauth2&response_type=code&access_type&client_id=afe8b0dXXXXXXXXXXXXXXXXXe&redirect_uri=https%3A%2F%2Fmealie.server01.domain.com%2Flogin&scope=openid%20profile%20email&state=0zdl8yzrut&code_challenge_method=S256&code_challenge=gtXXXXXXXXXXXXXXXXXXXXq2ukjY HTTP/1.1" mealie | INFO 2024-10-28T07:48:58 - [30.40.50.60:0] 200 OK "GET /sw.js HTTP/1.1" mealie | INFO 2024-10-28T07:49:16 - [127.0.0.1:55244] 200 OK "GET /api/app/about HTTP/1.1" mealie | INFO 2024-10-28T07:49:46 - [127.0.0.1:41778] 200 OK "GET /api/app/about HTTP/1.1" mealie | INFO 2024-10-28T07:50:16 - [127.0.0.1:42764] 200 OK "GET /api/app/about HTTP/1.1" ``` also I tried it with freshrss (also 400/403) - I can't reach /api: pocketid | [GIN] 2024/10/28 - 07:19:53 | 403 | 375.732µs | 30.40.50.60 | POST "/api/oidc/authorize" pocketid | [GIN] 2024/10/28 - 07:19:53 | 403 | 401.208µs | 30.40.50.60 | POST "/api/oidc/authorize" pocketid | [GIN] 2024/10/28 - 07:19:54 | 400 | 562.693µs | 30.40.50.60 | POST "/api/oidc/authorize/new-client" pocketid | [GIN] 2024/10/28 - 07:19:54 | 400 | 588.623µs | 30.40.50.60 | POST "/api/oidc/authorize/new-client"
OVERLORD commented 2026-02-04 16:53:39 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub (Oct 28, 2024):

With Freshrss you get the error that the client secret is wrong but "/.well-known/openid-configuration" is accessible, right?

If you get this error the issue is that the client secret is wrong, there is no other cause. Please double-check the client secret for any extra spaces or formatting issues to ensure it’s entered exactly as provided.

@stonith404 commented on GitHub (Oct 28, 2024): With Freshrss you get the error that the client secret is wrong but "/.well-known/openid-configuration" is accessible, right? If you get this error the issue is that the client secret is wrong, there is no other cause. Please double-check the client secret for any extra spaces or formatting issues to ensure it’s entered exactly as provided.
OVERLORD commented 2026-02-04 16:53:44 +03:00
Author
Owner
Copy Link

@PaddyPat commented on GitHub (Oct 28, 2024):

freshrss works, issue was in callback url at the end also a slash
https://freshrss.server01.domain.com/i/oidc/

@PaddyPat commented on GitHub (Oct 28, 2024): freshrss works, issue was in callback url at the end also a slash https://freshrss.server01.domain.com/i/oidc/
OVERLORD commented 2026-02-04 16:53:46 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub (Oct 28, 2024):

Ok but in that case the issue isn't Caddy because FreshRSS can access Pocket ID. As I don't know your entire setup I can't really help you further. But we know now that the issue isn't Pocket ID or Caddy.

I've successfully configured Pocket ID with Mealie with the following configuration:

services:
  mealie:
    image: ghcr.io/mealie-recipes/mealie:v2.0.0 #
    ports:
        - "9925:9000" #
    environment:
      ALLOW_SIGNUP: "true"
      PUID: 1000
      PGID: 1000
      TZ: America/Anchorage
      MAX_WORKERS: 1
      WEB_CONCURRENCY: 1
      BASE_URL: http://localhost:9925
      OIDC_AUTH_ENABLED: true
      OIDC_CONFIGURATION_URL: https://pocket-id.mydomain.com/.well-known/openid-configuration
      OIDC_CLIENT_ID: 27a35d23-2fc1-4676-b186-3cdf25c83215
      OIDC_CLIENT_SECRET: eiIP5N416dOGFGFIpGApBae6Mhnht9Rb
@stonith404 commented on GitHub (Oct 28, 2024): Ok but in that case the issue isn't Caddy because FreshRSS can access Pocket ID. As I don't know your entire setup I can't really help you further. But we know now that the issue isn't Pocket ID or Caddy. I've successfully configured Pocket ID with Mealie with the following configuration: ``` services: mealie: image: ghcr.io/mealie-recipes/mealie:v2.0.0 # ports: - "9925:9000" # environment: ALLOW_SIGNUP: "true" PUID: 1000 PGID: 1000 TZ: America/Anchorage MAX_WORKERS: 1 WEB_CONCURRENCY: 1 BASE_URL: http://localhost:9925 OIDC_AUTH_ENABLED: true OIDC_CONFIGURATION_URL: https://pocket-id.mydomain.com/.well-known/openid-configuration OIDC_CLIENT_ID: 27a35d23-2fc1-4676-b186-3cdf25c83215 OIDC_CLIENT_SECRET: eiIP5N416dOGFGFIpGApBae6Mhnht9Rb ```
OVERLORD commented 2026-02-04 16:53:51 +03:00
Author
Owner
Copy Link

@PaddyPat commented on GitHub (Oct 28, 2024):

Thanks for your help!
It was mealie image related!
(had oidc issues with image: hkotel/mealie -> ghcr.io/mealie-recipes/mealie:v2.0.0 works fine)

@PaddyPat commented on GitHub (Oct 28, 2024): Thanks for your help! It was mealie image related! (had oidc issues with image: hkotel/mealie -> ghcr.io/mealie-recipes/mealie:v2.0.0 works fine)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
bug
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#47
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?