🐛 Bug Report: #506

New Issue

Closed

opened 2026-02-04 20:17:53 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2026-02-04 20:17:53 +03:00

Owner

Copy Link

Originally created by @leof28 on GitHub (Oct 12, 2025).

Reproduction steps

When I lunch Caddy with Pocket ID, I have a lot of spam (every 1 sec) of "no token found" for Caddy.
Also, I can't login through the Streamyfin APP and Jellyfin TV app because nothing load when I enter my credentials.
Here my caddyfile :

{
    email admin@domain.com
    # DNS Cloudflare pour certificats
    acme_dns cloudflare {env.CF_API_TOKEN}
	
servers {
    trusted_proxies cloudflare
}

    # ───────────────────────────────────────────────
    # 🔒 Sécurité : Authentification & Autorisation
    # ───────────────────────────────────────────────

    order authenticate before respond
    security {

        oauth identity provider generic {
            delay_start 3
            realm generic
            driver generic
            client_id xxxx
            client_secret xxxxx
            scopes openid email profile
            base_auth_url https://auth.domain.com
            metadata_url https://auth.domain.com/.well-known/openid-configuration
		}

		authentication portal authportal {
			enable identity provider generic
			cookie domain *.domain.com
			cookie path /
			crypto default token lifetime 3600
			transform user {
				match realm generic
				action add role user
			}
		}

    # ─────────── AUTORISATION ───────────
		authorization policy authpolicy {
			set auth url /oauth2/generic
			allow roles user
			# inject headers générés par Caddy Security automatiquement
			inject headers with claims
		}
	}
}

# ───────────────────────────────────────────────
# 🎬 Jellyfin
# ───────────────────────────────────────────────
jellyfin.domain.com {

    @auth {
        path /oauth2/generic 
        path /oauth2/generic/authorization-code-callback
    }

    route @auth {
        authenticate with authportal
    }

    route /* {
        authorize with authpolicy
        reverse_proxy 192.168.1.100:8096 {
            header_up X-Real-IP {http.request.remote}
            header_up X-Forwarded-For {http.request.header.X-Forwarded-For}, {http.request.remote}
            header_up Authorization {http.request.header.Authorization}

        }
    }

    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }

    log {
        output file /var/log/caddy/jelly_access.log {
            roll_size 10MiB
            roll_keep 5
            roll_keep_for 48h
        }
        format json
        level INFO
    }
}

# ───────────────────────────────────────────────
# 📥 Demande (Jellyseer)
# ───────────────────────────────────────────────
demande.domain.com {
    @auth path /caddy-security/*
    route @auth {
        authenticate with authportal
    }

    route /* {
        authorize with authpolicy
        reverse_proxy 192.168.1.100:8097 {
            header_up X-Real-IP {http.request.remote}
            header_up X-Forwarded-For {http.request.header.X-Forwarded-For}, {http.request.remote}
        }
    }

    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }

    log {
        output file /var/log/caddy/demande_access.log {
            roll_size 10MiB
            roll_keep 5
            roll_keep_for 48h
        }
        format json
        level INFO
    }
}

# ───────────────────────────────────────────────
# 🔐 Auth (PocketID / Keycloak)
# ───────────────────────────────────────────────
auth.domain.com {
    reverse_proxy 192.168.1.100:1411

    tls {
        dns cloudflare {env.CF_API_TOKEN}
    }

    log {
        output file /var/log/caddy/pocketid_access.log {
            roll_size 10MiB
            roll_keep 5
            roll_keep_for 48h
        }
        format json
        level INFO
    }
}

Expected behavior

It should not spam and I should be able to connect through Streamyfin and Jellyfin TV app

Actual Behavior

Spam of logs

Pocket ID Version

[Pocket ID] (1.13.1)

Database

None ?

OS and Environment

Docker Compose
Caddy :

services:
  caddy:
    container_name: caddyv2
    image: caddy-security-cloudflare-jwt-ip:latest
    build:
      context: .
      dockerfile_inline: |
        FROM caddy:2-builder AS builder
        RUN xcaddy build \
          --with github.com/caddy-dns/cloudflare \
          --with github.com/ggicci/caddy-jwt \
          --with github.com/greenpau/caddy-security \
          --with github.com/WeidiDeng/caddy-cloudflare-ip
        FROM caddy:2-alpine
        COPY --from=builder /usr/bin/caddy /usr/bin/caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    environment:
      - CF_API_TOKEN=${CF_API_TOKEN}
      - GENERIC_CLIENT_ID=${GENERIC_CLIENT_ID}
      - GENERIC_CLIENT_SECRET=${GENERIC_CLIENT_SECRET}
    volumes:
      - /mnt/base/apps/config/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - /mnt/base/apps/config/caddy/data:/data
      - /mnt/base/apps/config/caddy/config:/config
      - /mnt/base/apps/config/caddy/logs:/var/log/caddy
    networks:
      - auth
networks:
  auth:
    external: true

Pocket ID :

services:
  pocket-id:
    image: ghcr.io/pocket-id/pocket-id:v1
    restart: unless-stopped
    env_file: .env
    networks:
      - auth
    ports:
      - 1411:1411
    volumes:
      - /mnt/base/apps/config/pocketid/data:/app/data
    # Optional healthcheck
    healthcheck:
      test:
        - CMD
        - /app/pocket-id
        - healthcheck
      interval: 1m30s
      timeout: 5s
      retries: 2
      start_period: 10s
networks:
  auth:
    external: true

Log Output

pocket-id-1  | Oct 12 11:52:34 INF Request app=pocket-id version=1.13.1 status=200 method=GET path=/authorize query="client_id=8d54f791-68c4-4aca-9f06-2d8c94f0a6dd&nonce=pjrbaIlfqctsKcTAROZHDNYcpFaTEaSG&redirect_uri=https%3A%2F%2Fjelly.my.domain%2Foauth2%2Fgeneric%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=caa9a897-7f74-4be1-bcf8-13fbf8ff6a08" route="" ip=privateIP latency=47.075µs referer="" user_agent=axios/1.7.2 body_size=1508
pocket-id-1  | Oct 12 11:52:35 INF Request app=pocket-id version=1.13.1 status=200 method=GET path=/authorize query="client_id=8d54f791-68c4-4aca-9f06-2d8c94f0a6dd&nonce=X9gDfhDdcI7sjcbPYvpoIgYmd6agSZoh&redirect_uri=https%3A%2F%2Fjelly.my.domain%2Foauth2%2Fgeneric%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=f8bf295c-f366-4b3b-8c12-a9120b2c94a1" route="" ip=privateIP latency=28.838µs referer="" user_agent=axios/1.7.2 body_size=1508

And log of Caddy :

caddyv2  | {"level":"error","ts":1760270181.1038342,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=MYIP, src_conn_ip=172.70.108.XXX, reason: no token found"}
caddyv2  | {"level":"error","ts":1760270182.1048965,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=MYIP, src_conn_ip=162.158.23.XXX, reason: no token found"}
caddyv2  | {"level":"error","ts":1760270183.1036727,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=MYIP, src_conn_ip=172.68.234.XXX, reason: no token found"}

Originally created by @leof28 on GitHub (Oct 12, 2025). ### Reproduction steps When I lunch Caddy with Pocket ID, I have a lot of spam (every 1 sec) of "no token found" for Caddy. Also, I can't login through the Streamyfin APP and Jellyfin TV app because nothing load when I enter my credentials. Here my caddyfile : ``` { email admin@domain.com # DNS Cloudflare pour certificats acme_dns cloudflare {env.CF_API_TOKEN} servers { trusted_proxies cloudflare } # ─────────────────────────────────────────────── # 🔒 Sécurité : Authentification & Autorisation # ─────────────────────────────────────────────── order authenticate before respond security { oauth identity provider generic { delay_start 3 realm generic driver generic client_id xxxx client_secret xxxxx scopes openid email profile base_auth_url https://auth.domain.com metadata_url https://auth.domain.com/.well-known/openid-configuration } authentication portal authportal { enable identity provider generic cookie domain *.domain.com cookie path / crypto default token lifetime 3600 transform user { match realm generic action add role user } } # ─────────── AUTORISATION ─────────── authorization policy authpolicy { set auth url /oauth2/generic allow roles user # inject headers générés par Caddy Security automatiquement inject headers with claims } } } # ─────────────────────────────────────────────── # 🎬 Jellyfin # ─────────────────────────────────────────────── jellyfin.domain.com { @auth { path /oauth2/generic path /oauth2/generic/authorization-code-callback } route @auth { authenticate with authportal } route /* { authorize with authpolicy reverse_proxy 192.168.1.100:8096 { header_up X-Real-IP {http.request.remote} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}, {http.request.remote} header_up Authorization {http.request.header.Authorization} } } tls { dns cloudflare {env.CF_API_TOKEN} } log { output file /var/log/caddy/jelly_access.log { roll_size 10MiB roll_keep 5 roll_keep_for 48h } format json level INFO } } # ─────────────────────────────────────────────── # 📥 Demande (Jellyseer) # ─────────────────────────────────────────────── demande.domain.com { @auth path /caddy-security/* route @auth { authenticate with authportal } route /* { authorize with authpolicy reverse_proxy 192.168.1.100:8097 { header_up X-Real-IP {http.request.remote} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}, {http.request.remote} } } tls { dns cloudflare {env.CF_API_TOKEN} } log { output file /var/log/caddy/demande_access.log { roll_size 10MiB roll_keep 5 roll_keep_for 48h } format json level INFO } } # ─────────────────────────────────────────────── # 🔐 Auth (PocketID / Keycloak) # ─────────────────────────────────────────────── auth.domain.com { reverse_proxy 192.168.1.100:1411 tls { dns cloudflare {env.CF_API_TOKEN} } log { output file /var/log/caddy/pocketid_access.log { roll_size 10MiB roll_keep 5 roll_keep_for 48h } format json level INFO } } ``` ### Expected behavior It should not spam and I should be able to connect through Streamyfin and Jellyfin TV app ### Actual Behavior Spam of logs ### Pocket ID Version [Pocket ID] (1.13.1) ### Database None ? ### OS and Environment Docker Compose Caddy : ``` services: caddy: container_name: caddyv2 image: caddy-security-cloudflare-jwt-ip:latest build: context: . dockerfile_inline: | FROM caddy:2-builder AS builder RUN xcaddy build \ --with github.com/caddy-dns/cloudflare \ --with github.com/ggicci/caddy-jwt \ --with github.com/greenpau/caddy-security \ --with github.com/WeidiDeng/caddy-cloudflare-ip FROM caddy:2-alpine COPY --from=builder /usr/bin/caddy /usr/bin/caddy restart: unless-stopped ports: - 80:80 - 443:443 environment: - CF_API_TOKEN=${CF_API_TOKEN} - GENERIC_CLIENT_ID=${GENERIC_CLIENT_ID} - GENERIC_CLIENT_SECRET=${GENERIC_CLIENT_SECRET} volumes: - /mnt/base/apps/config/caddy/Caddyfile:/etc/caddy/Caddyfile:ro - /mnt/base/apps/config/caddy/data:/data - /mnt/base/apps/config/caddy/config:/config - /mnt/base/apps/config/caddy/logs:/var/log/caddy networks: - auth networks: auth: external: true ``` Pocket ID : ``` services: pocket-id: image: ghcr.io/pocket-id/pocket-id:v1 restart: unless-stopped env_file: .env networks: - auth ports: - 1411:1411 volumes: - /mnt/base/apps/config/pocketid/data:/app/data # Optional healthcheck healthcheck: test: - CMD - /app/pocket-id - healthcheck interval: 1m30s timeout: 5s retries: 2 start_period: 10s networks: auth: external: true ``` <img width="1128" height="715" alt="Image" src="https://github.com/user-attachments/assets/6b5a6687-a0de-4088-8ef6-2f156c02338a" /> ### Log Output ``` pocket-id-1 | Oct 12 11:52:34 INF Request app=pocket-id version=1.13.1 status=200 method=GET path=/authorize query="client_id=8d54f791-68c4-4aca-9f06-2d8c94f0a6dd&nonce=pjrbaIlfqctsKcTAROZHDNYcpFaTEaSG&redirect_uri=https%3A%2F%2Fjelly.my.domain%2Foauth2%2Fgeneric%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=caa9a897-7f74-4be1-bcf8-13fbf8ff6a08" route="" ip=privateIP latency=47.075µs referer="" user_agent=axios/1.7.2 body_size=1508 pocket-id-1 | Oct 12 11:52:35 INF Request app=pocket-id version=1.13.1 status=200 method=GET path=/authorize query="client_id=8d54f791-68c4-4aca-9f06-2d8c94f0a6dd&nonce=X9gDfhDdcI7sjcbPYvpoIgYmd6agSZoh&redirect_uri=https%3A%2F%2Fjelly.my.domain%2Foauth2%2Fgeneric%2Fauthorization-code-callback&response_type=code&scope=openid+email+profile&state=f8bf295c-f366-4b3b-8c12-a9120b2c94a1" route="" ip=privateIP latency=28.838µs referer="" user_agent=axios/1.7.2 body_size=1508 ``` And log of Caddy : ``` caddyv2 | {"level":"error","ts":1760270181.1038342,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=MYIP, src_conn_ip=172.70.108.XXX, reason: no token found"} caddyv2 | {"level":"error","ts":1760270182.1048965,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=MYIP, src_conn_ip=162.158.23.XXX, reason: no token found"} caddyv2 | {"level":"error","ts":1760270183.1036727,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=MYIP, src_conn_ip=172.68.234.XXX, reason: no token found"} ```

OVERLORD closed this issue 2026-02-04 20:17:56 +03:00

OVERLORD commented 2026-02-04 20:18:01 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub (Oct 12, 2025):

This seems like a configuration issue instead of a bug with Pocket ID, because of that I'm converting this to a discussion. I can't really help you here because i'm not using Caddy security, but maybe someone else can.

@stonith404 commented on GitHub (Oct 12, 2025): This seems like a configuration issue instead of a bug with Pocket ID, because of that I'm converting this to a discussion. I can't really help you here because i'm not using Caddy security, but maybe someone else can.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#506