starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: Getting 502 Error on all clients after 1.7.0 update #87

New Issue
Closed
opened 2025-10-07 00:01:10 +03:00 by OVERLORD · 13 comments
OVERLORD commented 2025-10-07 00:01:10 +03:00
Owner
Copy Link

Originally created by @dev-Blaze on GitHub.

Reproduction steps

As the title states, I tried reverting back to 1.6.4 but it doesn't seem to be allowed.

Currently hosting Pocket ID via docker
Pocket ID and all of the services are behind Reverse Proxy Pangolin (Uses Traefik)

Logs from Pocket ID:

time=2025-08-11T06:42:16.974-07:00 level=INFO msg="Incoming request" app=pocket-id version=1.7.0 request.time=2025-08-11T13:42:16.972Z request.method=POST request.host=auth.redacted request.path=/api/oidc/authorization-required request.query="" request.params=map[] request.route=/api/oidc/authorization-required request.ip=207.6.16.254 request.referer="https://auth.redacted/authorize?response_type=code&redirect_uri=https%3A%2F%2Foutline.redacted%2Fauth%2Foidc.callback&scope=openid%20profile%20email&state=cdebef095165601c&client_id=4215a259-0dfc-48a0-a17b-600c1acb6fcb" request.length=82 response.time=2025-08-11T13:42:16.973Z response.latency=1.239892ms response.status=200 response.length=31
time=2025-08-11T06:42:17.057-07:00 level=INFO msg="Incoming request" app=pocket-id version=1.7.0 request.time=2025-08-11T13:42:17.050Z request.method=POST request.host=auth.redacted request.path=/api/oidc/authorize request.query="" request.params=map[] request.route=/api/oidc/authorize request.ip=207.6.16.254 request.referer="https://auth.redacted/authorize?response_type=code&redirect_uri=https%3A%2F%2Foutline.redacted%2Fauth%2Foidc.callback&scope=openid%20profile%20email&state=cdebef095165601c&client_id=4215a259-0dfc-48a0-a17b-600c1acb6fcb" request.length=196 response.time=2025-08-11T13:42:17.057Z response.latency=6.66303ms response.status=200 response.length=148
time=2025-08-11T06:42:48.174-07:00 level=INFO msg="Incoming request" app=pocket-id version=1.7.0 request.time=2025-08-11T13:42:48.172Z request.method=GET request.host=auth.redacted request.path=/api/application-configuration/logo request.query="" request.params=map[] request.route=/api/application-configuration/logo request.ip=207.6.16.254 request.referer=https://dashboard.redacted/ request.length=0 response.time=2025-08-11T13:42:48.174Z response.latency=1.188735ms response.status=200 response.length=32800

Log from Outline Application:

ERR Error during authentication | error=connect ETIMEDOUT 000.000.000.000:443 stack=Error: connect ETIMEDOUT 000.000.000.000:443
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1637:16) 
ERR Error during authentication | error=connect ETIMEDOUT 000.000.000.000:443 stack=Error: connect ETIMEDOUT 000.000.000.000:443
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1637:16)

Expected behavior

Authentication working

Actual Behavior

Getting 502 Server Error

Version and Environment

v1.7.0

Log Output

Previous notes

Originally created by @dev-Blaze on GitHub. ### Reproduction steps As the title states, I tried reverting back to 1.6.4 but it doesn't seem to be allowed. Currently hosting Pocket ID via docker Pocket ID and all of the services are behind Reverse Proxy Pangolin (Uses Traefik) Logs from Pocket ID: ``` time=2025-08-11T06:42:16.974-07:00 level=INFO msg="Incoming request" app=pocket-id version=1.7.0 request.time=2025-08-11T13:42:16.972Z request.method=POST request.host=auth.redacted request.path=/api/oidc/authorization-required request.query="" request.params=map[] request.route=/api/oidc/authorization-required request.ip=207.6.16.254 request.referer="https://auth.redacted/authorize?response_type=code&redirect_uri=https%3A%2F%2Foutline.redacted%2Fauth%2Foidc.callback&scope=openid%20profile%20email&state=cdebef095165601c&client_id=4215a259-0dfc-48a0-a17b-600c1acb6fcb" request.length=82 response.time=2025-08-11T13:42:16.973Z response.latency=1.239892ms response.status=200 response.length=31 time=2025-08-11T06:42:17.057-07:00 level=INFO msg="Incoming request" app=pocket-id version=1.7.0 request.time=2025-08-11T13:42:17.050Z request.method=POST request.host=auth.redacted request.path=/api/oidc/authorize request.query="" request.params=map[] request.route=/api/oidc/authorize request.ip=207.6.16.254 request.referer="https://auth.redacted/authorize?response_type=code&redirect_uri=https%3A%2F%2Foutline.redacted%2Fauth%2Foidc.callback&scope=openid%20profile%20email&state=cdebef095165601c&client_id=4215a259-0dfc-48a0-a17b-600c1acb6fcb" request.length=196 response.time=2025-08-11T13:42:17.057Z response.latency=6.66303ms response.status=200 response.length=148 time=2025-08-11T06:42:48.174-07:00 level=INFO msg="Incoming request" app=pocket-id version=1.7.0 request.time=2025-08-11T13:42:48.172Z request.method=GET request.host=auth.redacted request.path=/api/application-configuration/logo request.query="" request.params=map[] request.route=/api/application-configuration/logo request.ip=207.6.16.254 request.referer=https://dashboard.redacted/ request.length=0 response.time=2025-08-11T13:42:48.174Z response.latency=1.188735ms response.status=200 response.length=32800 ``` Log from Outline Application: ``` ERR Error during authentication | error=connect ETIMEDOUT 000.000.000.000:443 stack=Error: connect ETIMEDOUT 000.000.000.000:443 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1637:16) ERR Error during authentication | error=connect ETIMEDOUT 000.000.000.000:443 stack=Error: connect ETIMEDOUT 000.000.000.000:443 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1637:16) ``` ### Expected behavior Authentication working ### Actual Behavior Getting 502 Server Error ### Version and Environment v1.7.0 ### Log Output Previous notes
OVERLORD commented 2025-10-07 00:01:13 +03:00
Author
Owner
Copy Link

@ghoshsaptarshi commented on GitHub:

I was facing the same error. If you're using docker then try changing the variable name from PUBLIC_APP_URL to APP_URL.
The https://<your-pocket-id-domain>/.well-known/openid-configuration was pointing to localhost instead of the correct domain.

@ghoshsaptarshi commented on GitHub: I was facing the same error. If you're using docker then try changing the variable name from `PUBLIC_APP_URL` to `APP_URL`. The `https://<your-pocket-id-domain>/.well-known/openid-configuration` was pointing to localhost instead of the correct domain.
OVERLORD commented 2025-10-07 00:01:13 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@dev-Blaze Is Pocket ID accessible from the other containers? You can test this by running ping your-pocket-id-domain inside the containers that can't authenticate. I doubt that the issue is caused by the update, because we shouldn't have changed anything that could cause the issue.

@stonith404 commented on GitHub: @dev-Blaze Is Pocket ID accessible from the other containers? You can test this by running `ping your-pocket-id-domain` inside the containers that can't authenticate. I doubt that the issue is caused by the update, because we shouldn't have changed anything that could cause the issue.
OVERLORD commented 2025-10-07 00:01:13 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Can you share the output of https://<your-pocket-id-domain>/.well-known/openid-configuration?

Besides logging into clients everything works as expected?

@stonith404 commented on GitHub: Can you share the output of `https://<your-pocket-id-domain>/.well-known/openid-configuration`? Besides logging into clients everything works as expected?
OVERLORD commented 2025-10-07 00:01:14 +03:00
Author
Owner
Copy Link

@dev-Blaze commented on GitHub:

@stonith404 it does seem to be accessible from other containers.

@dev-Blaze commented on GitHub: @stonith404 it does seem to be accessible from other containers.
OVERLORD commented 2025-10-07 00:01:14 +03:00
Author
Owner
Copy Link

@dev-Blaze commented on GitHub:

{"authorization_endpoint":"https://auth.redacted/authorize","authorization_response_iss_parameter_supported":true,"claims_supported":["sub","given_name","family_name","name","email","email_verified","preferred_username","picture","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://auth.redacted/api/oidc/device/authorize","end_session_endpoint":"https://auth.redacted/api/oidc/end-session","grant_types_supported":["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://auth.redacted/api/oidc/introspect","issuer":"https://auth.redacted","jwks_uri":"https://auth.redacted/.well-known/jwks.json","response_types_supported":["code","id_token"],"scopes_supported":["openid","profile","email","groups"],"subject_types_supported":["public"],"token_endpoint":"https://auth.redacted/api/oidc/token","userinfo_endpoint":"https://auth.redacted/api/oidc/userinfo"}

one thing I have noticed is that, in pangolin, it has tunnels to other hosts to reverse proxy services/apps in different local networks as well.
this issue only happens for services that are local that are on the pangolin host itself and doesnt happen for services that are proxies with its tunnel on a different host.

this might point to the issue being with the reverse proxy but this only started after the update to Pocket-ID

@dev-Blaze commented on GitHub: ``` {"authorization_endpoint":"https://auth.redacted/authorize","authorization_response_iss_parameter_supported":true,"claims_supported":["sub","given_name","family_name","name","email","email_verified","preferred_username","picture","groups"],"code_challenge_methods_supported":["plain","S256"],"device_authorization_endpoint":"https://auth.redacted/api/oidc/device/authorize","end_session_endpoint":"https://auth.redacted/api/oidc/end-session","grant_types_supported":["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["RS256"],"introspection_endpoint":"https://auth.redacted/api/oidc/introspect","issuer":"https://auth.redacted","jwks_uri":"https://auth.redacted/.well-known/jwks.json","response_types_supported":["code","id_token"],"scopes_supported":["openid","profile","email","groups"],"subject_types_supported":["public"],"token_endpoint":"https://auth.redacted/api/oidc/token","userinfo_endpoint":"https://auth.redacted/api/oidc/userinfo"} ``` one thing I have noticed is that, in pangolin, it has tunnels to other hosts to reverse proxy services/apps in different local networks as well. this issue only happens for services that are local that are on the pangolin host itself and doesnt happen for services that are proxies with its tunnel on a different host. this might point to the issue being with the reverse proxy but this only started after the update to Pocket-ID
OVERLORD commented 2025-10-07 00:01:15 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Did you make a configuration changes to your reverse proxy setup? Like @stonith404 nothing in the 1.7.0 update should have effected this, and from my overview it seems like a configuration issue but I could be wrong too. It may be helpful to share you docker compose, and .env redacting any sensitive data where needed.

@kmendell commented on GitHub: Did you make a configuration changes to your reverse proxy setup? Like @stonith404 nothing in the 1.7.0 update should have effected this, and from my overview it seems like a configuration issue but I could be wrong too. It may be helpful to share you docker compose, and .env redacting any sensitive data where needed.
OVERLORD commented 2025-10-07 00:01:15 +03:00
Author
Owner
Copy Link

@dev-Blaze commented on GitHub:

pocket-id is behind the same reverse proxy and I can log into it without issues, its just other services using pocket-id as oauth provider having issues. I'll paste the docker compose and env file here in a bit

@dev-Blaze commented on GitHub: pocket-id is behind the same reverse proxy and I can log into it without issues, its just other services using pocket-id as oauth provider having issues. I'll paste the docker compose and env file here in a bit
OVERLORD commented 2025-10-07 00:01:15 +03:00
Author
Owner
Copy Link

@dev-Blaze commented on GitHub:

@ghoshsaptarshi I am using the APP_URL and not PUBLIC_APP_URL for the pocket-if docker-compose stack.

@dev-Blaze commented on GitHub: @ghoshsaptarshi I am using the APP_URL and not PUBLIC_APP_URL for the pocket-if docker-compose stack.
OVERLORD commented 2025-10-07 00:01:15 +03:00
Author
Owner
Copy Link

@dev-Blaze commented on GitHub:

docker-compose file

services:
  pocket-id:
    image: ghcr.io/pocket-id/pocket-id:latest
    restart: unless-stopped
    env_file: stack.env
    networks:
      - pangolin
    ports:
      - 3000:1411
    volumes:
      - "/docker/pocket-id/data:/app/data"
    healthcheck:
      test: "curl -f http://localhost:1411/healthz" # Update the port in the healthcheck
      interval: 1m30s
      timeout: 5s
      retries: 2
      start_period: 10s

networks:
  pangolin:
    external: true

stack.env

APP_URL=https://redacted.com
TRUST_PROXY=true
MAXMIND_LICENSE_KEY=redacted
PORT=1411
TZ=America/Los_Angeles
@dev-Blaze commented on GitHub: docker-compose file ``` services: pocket-id: image: ghcr.io/pocket-id/pocket-id:latest restart: unless-stopped env_file: stack.env networks: - pangolin ports: - 3000:1411 volumes: - "/docker/pocket-id/data:/app/data" healthcheck: test: "curl -f http://localhost:1411/healthz" # Update the port in the healthcheck interval: 1m30s timeout: 5s retries: 2 start_period: 10s networks: pangolin: external: true ``` stack.env ``` APP_URL=https://redacted.com TRUST_PROXY=true MAXMIND_LICENSE_KEY=redacted PORT=1411 TZ=America/Los_Angeles ```
OVERLORD commented 2025-10-07 00:01:16 +03:00
Author
Owner
Copy Link

@dev-Blaze commented on GitHub:

@kmendell I have not made any changes to the reverse proxy config either.

@dev-Blaze commented on GitHub: @kmendell I have not made any changes to the reverse proxy config either.
OVERLORD commented 2025-10-07 00:01:17 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Would you mind setting up a test instance on v1.6.4 and try it again? I'm really confident that the issue is not caused by v1.7.0.

@stonith404 commented on GitHub: Would you mind setting up a test instance on v1.6.4 and try it again? I'm really confident that the issue is not caused by v1.7.0.
OVERLORD commented 2025-10-07 00:01:17 +03:00
Author
Owner
Copy Link

@dev-Blaze commented on GitHub:

I tested with a test instance on v1.6.4 and it does look to have the same problem. I'll post in the pangolin page. Thanks gents

@dev-Blaze commented on GitHub: I tested with a test instance on v1.6.4 and it does look to have the same problem. I'll post in the pangolin page. Thanks gents
OVERLORD commented 2025-10-07 00:01:17 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Alright, thanks for testing. Good luck!

@stonith404 commented on GitHub: Alright, thanks for testing. Good luck!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#87
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?