starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: Cloudflare Zero Trust OIDC: "Failed to verify oidc token with fresh keys" #73

New Issue
Closed
opened 2025-10-07 00:00:40 +03:00 by OVERLORD · 18 comments
OVERLORD commented 2025-10-07 00:00:40 +03:00
Owner
Copy Link

Originally created by @aepuck on GitHub.

Reproduction steps

I followed the steps as noted in https://pocket-id.org/docs/client-examples/cloudflare-zero-trust and I'm able to save the OIDC client in my instance and in Zero Trust.

Expected behavior

Successful authentication into Cloudflare via my Pocket ID instance.

Actual Behavior

When I click "Test" following the setup, I'm presented with the following message:

Failed to verify oidc token with fresh keys
undefined

Image

Version and Environment

Version 1.7.0

Instance is proxied itself through Cloudflare Tunnels, but not sure if that is an issue after looking at #231

Log Output

No response

Originally created by @aepuck on GitHub. ### Reproduction steps I followed the steps as noted in https://pocket-id.org/docs/client-examples/cloudflare-zero-trust and I'm able to save the OIDC client in my instance and in Zero Trust. ### Expected behavior Successful authentication into Cloudflare via my Pocket ID instance. ### Actual Behavior When I click "Test" following the setup, I'm presented with the following message: > Failed to verify oidc token with fresh keys undefined <img width="889" height="797" alt="Image" src="https://github.com/user-attachments/assets/289883c8-e9b2-4eb4-b4fd-34526538708e" /> ### Version and Environment Version 1.7.0 Instance is proxied itself through Cloudflare Tunnels, but not sure if that is an issue after looking at #231 ### Log Output _No response_
OVERLORD commented 2025-10-07 00:00:42 +03:00
Author
Owner
Copy Link

@JonasWinter commented on GitHub:

Image

I remember having the same error, but unfortuantely cannot remeber how I solved it. For comparison: This is the rest of my configuration. Did you set OIDC Claims and Scopes correct? What happens when activating PKCE?

@JonasWinter commented on GitHub: <img width="410" height="921" alt="Image" src="https://github.com/user-attachments/assets/b9ba6193-21aa-4e52-b23b-1a71e0e61240" /> I remember having the same error, but unfortuantely cannot remeber how I solved it. For comparison: This is the rest of my configuration. Did you set OIDC Claims and Scopes correct? What happens when activating PKCE?
OVERLORD commented 2025-10-07 00:00:42 +03:00
Author
Owner
Copy Link

@aepuck commented on GitHub:

I should note also that Pocket ID is working (quite well too!) with my WordPress instance and FileBrowser Quantum, but ZT is still vexing me...

@aepuck commented on GitHub: I should note also that Pocket ID is working (quite well too!) with my WordPress instance and FileBrowser Quantum, but ZT is still vexing me...
OVERLORD commented 2025-10-07 00:00:43 +03:00
Author
Owner
Copy Link

@aepuck commented on GitHub:

@JonasWinter I just tried this above - enabled PKCE in both ZT and the Pocket ID registration added the three claims (scopes were already good) - but now I have a different message when I hit test:

OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct.
undefined

Image

After regenerating the client secret, I get the same message as before:

Image
@aepuck commented on GitHub: @JonasWinter I just tried this above - enabled PKCE in both ZT and the Pocket ID registration added the three claims (scopes were already good) - but now I have a different message when I hit test: > OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined <img width="849" height="350" alt="Image" src="https://github.com/user-attachments/assets/a9e33fab-c9de-476e-8695-faf3d8c8fae2" /> After regenerating the client secret, I get the same message as before: <img width="831" height="344" alt="Image" src="https://github.com/user-attachments/assets/f5cec9cb-083b-4bc6-b829-6a7e51277232" />
OVERLORD commented 2025-10-07 00:00:43 +03:00
Author
Owner
Copy Link

@aepuck commented on GitHub:

Sure thing!

Here is my OIDC provider setup from ZT > Settings > Authentication (subdomain redacted):

Image

From Pocket ID > OIDC Clients:

Image

My actual instance (on Win x64) is on a CF Tunnel as well, running as follows:

@aepuck commented on GitHub: Sure thing! Here is my OIDC provider setup from ZT > Settings > Authentication (subdomain redacted): <img width="367" height="680" alt="Image" src="https://github.com/user-attachments/assets/7330baef-8c5c-4d55-b321-b93c2c35e120" /> From Pocket ID > OIDC Clients: <img width="1187" height="622" alt="Image" src="https://github.com/user-attachments/assets/ce5fb2f8-fac3-45ed-9d2e-e9a0437c6442" /> My actual instance (on Win x64) is on a CF Tunnel as well, running as follows: - http://localhost:1411 going to - https://sub.domain
OVERLORD commented 2025-10-07 00:00:44 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Can you share what you configured in cloudflare? Redact any sensitive information where needed. I have this setup and working, so im sure it may just be a miss-configuration issue.

@kmendell commented on GitHub: Can you share what you configured in cloudflare? Redact any sensitive information where needed. I have this setup and working, so im sure it may just be a miss-configuration issue.
OVERLORD commented 2025-10-07 00:00:45 +03:00
Author
Owner
Copy Link

@JonasWinter commented on GitHub:

  1. Is your pocket-id isnatnce reachable over the internet for anonymous users? If behind Cloudflare tunnel (with authentification), you need to allow Cloudflare IPs to directly access the pocket-id (from here: https://www.cloudflare.com/en-gb/ips/)
    Image
  2. Also make sure sure that PKCE is enabled in your pocket-id configuration (bottom-right toggle in your screenshot of pocket-id)
  3. I will share my pcoket-id config later (not accessible right now), not quite sure if your's is 100% correct but cannot confirm right now
@JonasWinter commented on GitHub: 1. Is your pocket-id isnatnce reachable over the internet for anonymous users? If behind Cloudflare tunnel (with authentification), you need to allow Cloudflare IPs to directly access the pocket-id (from here: https://www.cloudflare.com/en-gb/ips/) <img width="1324" height="222" alt="Image" src="https://github.com/user-attachments/assets/fb58568b-2686-4842-834a-72c3fecaa1e8" /> 2. Also make sure sure that PKCE is enabled in your pocket-id configuration (bottom-right toggle in your screenshot of pocket-id) 3. I will share my pcoket-id config later (not accessible right now), not quite sure if your's is 100% correct but cannot confirm right now
OVERLORD commented 2025-10-07 00:00:46 +03:00
Author
Owner
Copy Link

@aepuck commented on GitHub:

@JonasWinter it is reachable to the internet anonymously, yes. (I do not have a Zero Trust application set up for my instance, just the tunnel exposing it to the internet.) I also turned on PKCE in the Pocket ID config when I tweaked things above.

Let me know if I need to share any further details from my Cloudflare or Pocket ID setups/configs.

@aepuck commented on GitHub: @JonasWinter it is reachable to the internet anonymously, yes. (I do not have a Zero Trust application set up for my instance, just the tunnel exposing it to the internet.) I also turned on PKCE in the Pocket ID config when I tweaked things above. Let me know if I need to share any further details from my Cloudflare or Pocket ID setups/configs.
OVERLORD commented 2025-10-07 00:00:46 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@aepuck Can you share the output of <your-pocket-id-domain>/.well-known/openid-configuration?

Also, please share your .env file, but make sure to redact any sensitive information.

@stonith404 commented on GitHub: @aepuck Can you share the output of `<your-pocket-id-domain>/.well-known/openid-configuration`? Also, please share your `.env` file, but make sure to redact any sensitive information.
OVERLORD commented 2025-10-07 00:00:47 +03:00
Author
Owner
Copy Link

@JonasWinter commented on GitHub:

Just compared all configs, everything seems right. 2 things to check:

  1. For the callback URL, can you double-check that your team name in the callback URL is correct?
    "You can find your team name in Zero Trust under Settings > Custom Pages."
  2. My last shot: Is the DNS record for the pocket-id instance maintained in Cloudflare? If so, make sure to disable "Bot Fight Mode" (https://developers.cloudflare.com/bots/get-started/bot-fight-mode/). I seem to remember that this caused some errors for me
@JonasWinter commented on GitHub: Just compared all configs, everything seems right. 2 things to check: 1. For the callback URL, can you double-check that your team name in the callback URL is correct? "You can find your team name in Zero Trust under Settings > Custom Pages." 2. My last shot: Is the DNS record for the pocket-id instance maintained in Cloudflare? If so, make sure to disable "Bot Fight Mode" (https://developers.cloudflare.com/bots/get-started/bot-fight-mode/). I seem to remember that this caused some errors for me
OVERLORD commented 2025-10-07 00:00:48 +03:00
Author
Owner
Copy Link

@aepuck commented on GitHub:

@JonasWinter confirmed both the team name is correct and Bot Fight Mode is off. (I turned it off when I set up the WordPress OIDC plugin after seeing it cause an issue)

Thanks for your help on this though!!

@kmendell is there anything in my config that you'd do differently by chance?

@aepuck commented on GitHub: @JonasWinter confirmed both the team name is correct and Bot Fight Mode is off. (I turned it off when I set up the WordPress OIDC plugin after seeing it cause an issue) Thanks for your help on this though!! @kmendell is there anything in my config that you'd do differently by chance?
OVERLORD commented 2025-10-07 00:00:49 +03:00
Author
Owner
Copy Link

@aepuck commented on GitHub:

@mitchplze many thanks for that, unfortunately still no dice 😫

@stonith404 @kmendell for grins just a bit ago, I went to the /api/oidc/token endpoint in my browser to see if there would be any sort of output and I got this:

Image

I'm not sure if this is intended behavior when going to that URL but maybe (maybe?) it's related...despite two other OIDC authenticated apps working with my instance. This is a head scratcher for sure.

@aepuck commented on GitHub: @mitchplze many thanks for that, unfortunately still no dice 😫 @stonith404 @kmendell for grins just a bit ago, I went to the `/api/oidc/token` endpoint in my browser to see if there would be any sort of output and I got this: <img width="377" height="297" alt="Image" src="https://github.com/user-attachments/assets/0ed2436c-5668-4d35-9b4a-08f08e9d14ee" /> I'm not sure if this is intended behavior when going to that URL but maybe (maybe?) it's related...despite two other OIDC authenticated apps working with my instance. This is a head scratcher for sure.
OVERLORD commented 2025-10-07 00:00:49 +03:00
Author
Owner
Copy Link

@mitchplze commented on GitHub:

Just chiming in that my CF ZT has worked great with this config pair out of the box, for quite some time.

I see that your app launcher tile URL is different (should probably not have the callback stuff on it), but that doesn't seem to break anything when I tested today.

Image Image Image
@mitchplze commented on GitHub: Just chiming in that my CF ZT has worked great with this config pair out of the box, for quite some time. I see that your app launcher tile URL is different (should probably not have the callback stuff on it), but that doesn't seem to break anything when I tested today. <img width="572" height="2363" alt="Image" src="https://github.com/user-attachments/assets/21630ebc-e1fd-4c1f-8fcb-fd7b2eca6b69" /> <img width="844" height="473" alt="Image" src="https://github.com/user-attachments/assets/e202b9f1-6099-4a1b-9f2b-9a8a23f2e71c" /> <img width="642" height="392" alt="Image" src="https://github.com/user-attachments/assets/4c7e79e0-01fa-40c9-b024-e9e35efc697b" />
OVERLORD commented 2025-10-07 00:00:49 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@JonasWinter confirmed both the team name is correct and Bot Fight Mode is off. (I turned it off when I set up the WordPress OIDC plugin after seeing it cause an issue)

Thanks for your help on this though!!

@kmendell is there anything in my config that you'd do differently by chance?

Based on what i can see its setup the same as mine is, id have to check 100% though. Ill try to do that later.

@kmendell commented on GitHub: > [@JonasWinter](https://github.com/JonasWinter) confirmed both the team name is correct and Bot Fight Mode is off. (I turned it off when I set up the WordPress OIDC plugin after seeing it cause an issue) > > Thanks for your help on this though!! > > [@kmendell](https://github.com/kmendell) is there anything in my config that you'd do differently by chance? Based on what i can see its setup the same as mine is, id have to check 100% though. Ill try to do that later.
OVERLORD commented 2025-10-07 00:00:50 +03:00
Author
Owner
Copy Link

@mitchplze commented on GitHub:

I'm not sure if this is intended behavior when going to that URL

My working one looks the same in browser at that URL.

I actually have two or three diff CF ZT accounts connecting to multiple Pocket OIDC clients like this, no issues.

Give this rule a try. I had issues with various monitoring tools, web apps etc. not working with the CF 'orange cloud' turned on, until I did this.

Disclaimer: Do this at your own risk obviously. You're bypassing a lot of the benefit of CF with this admittedly.

Image Image
@mitchplze commented on GitHub: > I'm not sure if this is intended behavior when going to that URL My working one looks the same in browser at that URL. I actually have two or three diff CF ZT accounts connecting to multiple Pocket OIDC clients like this, no issues. Give this rule a try. I had issues with various monitoring tools, web apps etc. not working with the CF 'orange cloud' turned on, until I did this. --- **Disclaimer:** Do this at your own risk obviously. You're bypassing a lot of the benefit of CF with this admittedly. <img width="1197" height="631" alt="Image" src="https://github.com/user-attachments/assets/c9ff3c7b-eb44-4ccc-a099-251fe5d34a0e" /> <img width="662" height="720" alt="Image" src="https://github.com/user-attachments/assets/7612af88-1b83-49bf-bc47-efa4baa2640e" />
OVERLORD commented 2025-10-07 00:00:50 +03:00
Author
Owner
Copy Link

@aepuck commented on GitHub:

@stonith404 sure thing! Here's the openid-configuration, with redacted domain:

{"authorization_endpoint":"https://id.domain.com/authorize","authorization_response_iss_parameter_supported":true,"claims_supported":["sub","given_name","family_name","name","email","email_verified","preferred_username","picture","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://id.domain.com/api/oidc/device/authorize","end_session_endpoint":"https://id.domain.com/api/oidc/end-session","grant_types_supported":["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://id.domain.com/api/oidc/introspect","issuer":"https://id.domain.com","jwks_uri":"https://id.domain.com/.well-known/jwks.json","response_types_supported":["code","id_token"],"scopes_supported":["openid","profile","email","groups"],"subject_types_supported":["public"],"token_endpoint":"https://id.domain.com/api/oidc/token","userinfo_endpoint":"https://id.domain.com/api/oidc/userinfo"}

And my .env:

# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables APP_URL=https://id.domain.com TRUST_PROXY=true MAXMIND_LICENSE_KEY=LicenseKeyRedacted PUID=1000 PGID=1000

@aepuck commented on GitHub: @stonith404 sure thing! Here's the `openid-configuration`, with redacted domain: `{"authorization_endpoint":"https://id.domain.com/authorize","authorization_response_iss_parameter_supported":true,"claims_supported":["sub","given_name","family_name","name","email","email_verified","preferred_username","picture","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://id.domain.com/api/oidc/device/authorize","end_session_endpoint":"https://id.domain.com/api/oidc/end-session","grant_types_supported":["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://id.domain.com/api/oidc/introspect","issuer":"https://id.domain.com","jwks_uri":"https://id.domain.com/.well-known/jwks.json","response_types_supported":["code","id_token"],"scopes_supported":["openid","profile","email","groups"],"subject_types_supported":["public"],"token_endpoint":"https://id.domain.com/api/oidc/token","userinfo_endpoint":"https://id.domain.com/api/oidc/userinfo"}` And my `.env`: `# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables APP_URL=https://id.domain.com TRUST_PROXY=true MAXMIND_LICENSE_KEY=LicenseKeyRedacted PUID=1000 PGID=1000 `
OVERLORD commented 2025-10-07 00:00:51 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

I'm converting this to a discussion because this doesn't seem like an issue of Pocket ID itself, but a configuration issue.

@stonith404 commented on GitHub: I'm converting this to a discussion because this doesn't seem like an issue of Pocket ID itself, but a configuration issue.
OVERLORD commented 2025-10-07 00:00:51 +03:00
Author
Owner
Copy Link

@pew commented on GitHub:

@aepuck you can do this using Tunnels

@pew commented on GitHub: @aepuck you can do this using Tunnels
OVERLORD commented 2025-10-07 00:00:52 +03:00
Author
Owner
Copy Link

@aepuck commented on GitHub:

@mitchplze I don't know if I'll be able to do that since I use CF Tunnels as my reverse proxy for my Pocket instance.

Image
@aepuck commented on GitHub: @mitchplze I don't know if I'll be able to do that since I use CF Tunnels as my reverse proxy for my Pocket instance. <img width="1185" height="525" alt="Image" src="https://github.com/user-attachments/assets/b08f09c8-3a95-4f1f-8720-b6ead5895a15" />
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#73
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?