🐛 Bug Report: OIDC with FreshRSS not working #492

New Issue

Closed

opened 2025-10-07 00:17:01 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2025-10-07 00:17:01 +03:00

Owner

Copy Link

Originally created by @bart268 on GitHub.

Reproduction steps

I try to login to FreshRSS with pocket-id. My current setup is authentik but I am trying to move to pocket-id.
Authentik is working fine but as soon as I configure pocket-id I am unable to login.

Steps:

• Client goes to FreshRSS webpage
• Client get redirected and prompted for the passkey
• Client gets redirected to FreshRSS after passkey authentication
• Client gets an error "oidc_proto_resolve_code_and_validate_response: code response validation failed"

FreshRSS logs shows this error:
[auth_openidc:error] [pid 55] [client x.x.x.x:0] oidc_proto_validate_code_response: requested flow is "code" but no "token_type" parameter found in the code response, referer: https://pocket-id.domain/
[auth_openidc:error] [pid 55] [client x.x.x.x:0] oidc_proto_resolve_code_and_validate_response: code response validation failed, referer: https://pocket-id.domain/

Client browser shows this error:
oidc_proto_resolve_code_and_validate_response: code response validation failed

FreshRSS OIDC config:
OIDC_ENABLED=1
OIDC_PROVIDER_METADATA_URL=https://pocket-id.domain/.well-known/openid-configuration
OIDC_CLIENT_ID=xxx
OIDC_CLIENT_SECRET=xxx
OIDC_X_FORWARDED_HEADERS=X-Forwarded-Proto
OIDC_SCOPES=openid email profile

Expected behavior

Client should be able to login using pocket-id and be redirected/authenticated in to freshrss.

Actual Behavior

Client browser shows "oidc_proto_resolve_code_and_validate_response: code response validation failed" after being authenticated in pocket-id.

Originally created by @bart268 on GitHub. ### Reproduction steps I try to login to FreshRSS with pocket-id. My current setup is authentik but I am trying to move to pocket-id. Authentik is working fine but as soon as I configure pocket-id I am unable to login. Steps: - Client goes to FreshRSS webpage - Client get redirected and prompted for the passkey - Client gets redirected to FreshRSS after passkey authentication - Client gets an error "oidc_proto_resolve_code_and_validate_response: code response validation failed" FreshRSS logs shows this error: [auth_openidc:error] [pid 55] [client x.x.x.x:0] oidc_proto_validate_code_response: requested flow is "code" but no "token_type" parameter found in the code response, referer: https://pocket-id.domain/ [auth_openidc:error] [pid 55] [client x.x.x.x:0] oidc_proto_resolve_code_and_validate_response: code response validation failed, referer: https://pocket-id.domain/ Client browser shows this error: oidc_proto_resolve_code_and_validate_response: code response validation failed FreshRSS OIDC config: OIDC_ENABLED=1 OIDC_PROVIDER_METADATA_URL=https://pocket-id.domain/.well-known/openid-configuration OIDC_CLIENT_ID=xxx OIDC_CLIENT_SECRET=xxx OIDC_X_FORWARDED_HEADERS=X-Forwarded-Proto OIDC_SCOPES=openid email profile ### Expected behavior Client should be able to login using pocket-id and be redirected/authenticated in to freshrss. ### Actual Behavior Client browser shows "oidc_proto_resolve_code_and_validate_response: code response validation failed" after being authenticated in pocket-id.

OVERLORD added the bug label 2025-10-07 00:17:01 +03:00

OVERLORD closed this issue 2025-10-07 00:17:02 +03:00

OVERLORD commented 2025-10-07 00:17:03 +03:00

Author

Owner

Copy Link

@bart268 commented on GitHub:

Awesome, it's fixed!

@bart268 commented on GitHub: Awesome, it's fixed!

OVERLORD commented 2025-10-07 00:17:03 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Thanks for your report. Would you mind to test it again with the stonith404/pocket-id:development image? I might have fixed it.

@stonith404 commented on GitHub: Thanks for your report. Would you mind to test it again with the `stonith404/pocket-id:development` image? I might have fixed it.

OVERLORD commented 2025-10-07 00:17:04 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Great :) You can switch back to the normal image as soon as I've created the release.

@stonith404 commented on GitHub: Great :) You can switch back to the normal image as soon as I've created the release.

OVERLORD referenced this issue 2025-10-07 00:21:55 +03:00

[PR #492] [MERGED] fix: last name still showing as required on account form #761

OVERLORD referenced this issue 2025-10-07 00:22:00 +03:00

[PR #492] fix: last name still showing as required on account form #765

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#492