github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-21 01:11:38 -05:00
Code Issues 856 Packages Projects Releases 74 Wiki Activity

[GH-ISSUE #762] bug: OIDC authentication fails to fetch user details from UserInfo endpoint #1614

New Issue
Open
opened 2026-04-16 08:20:04 -05:00 by GiteaMirror · 8 comments
GiteaMirror commented 2026-04-16 08:20:04 -05:00
Owner
Copy Link

Originally created by @Crowley723 on GitHub (May 22, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/762

Originally assigned to: @oschwartz10612 on GitHub.

Pangolin's OIDC authentication implementation only uses claims from the ID token and does not fetch additional user details from the provider's UserInfo endpoint when required claims are missing.

Expected Behavior:
When authenticating via OIDC, users should see their email address and full name in Pangolin, regardless of which claims the provider includes in the ID token.

Actual Behavior:
Users authenticated through OIDC providers that don't include email/name/groups claims in the ID token (like Authelia 4.39+) appear with their sub claim (UUID) instead of their email address, and have blank name fields.

Steps to Reproduce:

  1. Configure Authelia to act as an OIDC provider.
  2. Configure Pangolin as an OIDC client for Authelia.
  3. Attempt login with Pangolin.
  4. See UUID instead of email once logged into Pangolin.

Additional Information:
I believe this issue is the same one fixed by this pr in Mealie.

Per the OIDC spec, it is not required for OIDC providers to return anything except for specific claims in the id_token given to the client after authentication. As such, if the client expects info about the user (such as email, username, etc) they may have to fetch said info from the provider's user info endpoint.

In the recent update for authelia (4.39), we stopped including this information (to achieve OIDC certification) by default which requires some clients to use the UserInfo endpoint. We provided a way for admins to continue using the old method but this is a band-aid fix.

Possible Solution:
As can be seen in the mealie pr, this should be a fairly straight forward fix, if the returned token doesn't contain the required information about the user, fetch it from the UserInfo endpoint instead.

Originally created by @Crowley723 on GitHub (May 22, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/762 Originally assigned to: @oschwartz10612 on GitHub. Pangolin's OIDC authentication implementation only uses claims from the ID token and does not fetch additional user details from the provider's UserInfo endpoint when required claims are missing. **Expected Behavior:** When authenticating via OIDC, users should see their email address and full name in Pangolin, regardless of which claims the provider includes in the ID token. **Actual Behavior:** Users authenticated through OIDC providers that don't include email/name/groups claims in the ID token (like Authelia 4.39+) appear with their `sub` claim (UUID) instead of their email address, and have blank name fields. **Steps to Reproduce:** 1. Configure Authelia to act as an OIDC provider. 2. Configure Pangolin as an OIDC client for Authelia. 3. Attempt login with Pangolin. 4. See UUID instead of email once logged into Pangolin. **Additional Information:** I believe this issue is the same one fixed by [this pr](https://github.com/mealie-recipes/mealie/pull/5228) in Mealie. Per the OIDC spec, it is not required for OIDC providers to return anything except for [specific claims](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) in the id_token given to the client after authentication. As such, if the client expects info about the user (such as email, username, etc) they may have to fetch said info from the provider's user info endpoint. In the recent update for authelia (4.39), we stopped including this information (to achieve OIDC certification) by default which requires some clients to use the [UserInfo](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) endpoint. We [provided a way](https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter) for admins to continue using the old method but this is a band-aid fix. **Possible Solution:** As can be seen in the mealie pr, this should be a fairly straight forward fix, if the returned token doesn't contain the required information about the user, fetch it from the UserInfo endpoint instead.
GiteaMirror added the potential bugneeds investigating labels 2026-04-16 08:20:04 -05:00
GiteaMirror commented 2026-04-16 08:20:07 -05:00
Author
Owner
Copy Link

@Crowley723 commented on GitHub (May 22, 2025):

I am blind apparently, this is likely the reason for the issue described in #671

<!-- gh-comment-id:2899736950 --> @Crowley723 commented on GitHub (May 22, 2025): I am blind apparently, this is likely the reason for the issue described in #671
GiteaMirror commented 2026-04-16 08:20:07 -05:00
Author
Owner
Copy Link

@james-d-elliott commented on GitHub (May 22, 2025):

Just another note the most critical part of all of this, is subsection 5.7: https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability

<!-- gh-comment-id:2899743834 --> @james-d-elliott commented on GitHub (May 22, 2025): Just another note the most critical part of all of this, is subsection 5.7: https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
GiteaMirror commented 2026-04-16 08:20:08 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jun 6, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:2947243893 --> @github-actions[bot] commented on GitHub (Jun 6, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-16 08:20:08 -05:00
Author
Owner
Copy Link

@Crowley723 commented on GitHub (Jun 6, 2025):

Definitely not stale.

<!-- gh-comment-id:2947255079 --> @Crowley723 commented on GitHub (Jun 6, 2025): Definitely not stale.
GiteaMirror commented 2026-04-16 08:20:09 -05:00
Author
Owner
Copy Link

@negabiggs commented on GitHub (Jun 9, 2025):

Also bumping this, attempting to work with discord as an OIDC provider, and username,email information is behind a UserInfo endpoint.

<!-- gh-comment-id:2954664250 --> @negabiggs commented on GitHub (Jun 9, 2025): Also bumping this, attempting to work with discord as an OIDC provider, and username,email information is behind a UserInfo endpoint.
GiteaMirror commented 2026-04-16 08:20:09 -05:00
Author
Owner
Copy Link

@PHLAK commented on GitHub (Nov 9, 2025):

This was a problem I noticed recently when setting up Authelia as an identity provider. Took me a while to realize it used the UUID instead of the email or user name.

<!-- gh-comment-id:3507556973 --> @PHLAK commented on GitHub (Nov 9, 2025): This was a problem I noticed recently when setting up Authelia as an identity provider. Took me a while to realize it used the UUID instead of the email or user name.
GiteaMirror commented 2026-04-16 08:20:10 -05:00
Author
Owner
Copy Link

@Vladimir-Va commented on GitHub (Nov 12, 2025):

Thanks for the topic. I also tried to set it up for a long time OIDC из Synology SSO Server without results.
In all clients it is usually sufficient to specify /.well-known/openid-configuration but this doesn't work in Pangoline.

<!-- gh-comment-id:3522067600 --> @Vladimir-Va commented on GitHub (Nov 12, 2025): Thanks for the topic. I also tried to set it up for a long time OIDC из Synology SSO Server without results. In all clients it is usually sufficient to specify `/.well-known/openid-configuration` but this doesn't work in Pangoline.
GiteaMirror commented 2026-04-16 08:20:11 -05:00
Author
Owner
Copy Link

@ARandomGitHubUser commented on GitHub (Dec 10, 2025):

I spent some time looking into this. It appears that Arctic, the npm package used as an OAuth client in Pangolin, doesn't have built-in support for retrieving anything from the UserInfo endpoint. Arctic also does not appear to support a generic client implementation, which is what Pangolin really needs. You're "supposed" to use each of Arctic's providers individually; see https://github.com/pilcrowonpaper/arctic/issues/299#issuecomment-2814667357 and https://github.com/pilcrowonpaper/arctic/issues/310. This doesn't sound like it meet Pangolin's requirements.

Pangolin should probably switch to a more well-known client library, such as https://www.npmjs.com/package/openid-client. openid-client fully supports UserInfo. This library is used by Immich, another popular open-source project.

I'm willing to take a deeper look into this, but I wanted to share what I've found so far and get some input from maintainers before I proceed further.

Also bumping this, attempting to work with discord as an OIDC provider, and username,email information is behind a UserInfo endpoint.

It also appears that because Discord only provides an OAuth 2 flow, not OIDC, Arctic will fail to process it (with a Missing or invalid field: 'id_token' message). See https://github.com/pilcrowonpaper/arctic/issues/299

Pangolin's own tag says OAuth2/OIDC, so I think it's reasonable to assume that all OAuth2 providers should work, not just ones that return an OIDC id_token.
Image

<!-- gh-comment-id:3638977874 --> @ARandomGitHubUser commented on GitHub (Dec 10, 2025): I spent some time looking into this. It appears that [Arctic](https://www.npmjs.com/package/arctic), the npm package used as an OAuth client in Pangolin, doesn't have built-in support for retrieving anything from the UserInfo endpoint. Arctic also does not appear to support a generic client implementation, which is what Pangolin really needs. You're "supposed" to use each of Arctic's providers individually; see https://github.com/pilcrowonpaper/arctic/issues/299#issuecomment-2814667357 and https://github.com/pilcrowonpaper/arctic/issues/310. This doesn't sound like it meet Pangolin's requirements. Pangolin should probably switch to a more well-known client library, such as https://www.npmjs.com/package/openid-client. `openid-client` fully supports UserInfo. This library is used by Immich, another popular open-source project. I'm willing to take a deeper look into this, but I wanted to share what I've found so far and get some input from maintainers before I proceed further. --- > Also bumping this, attempting to work with discord as an OIDC provider, and username,email information is behind a UserInfo endpoint. It also appears that because Discord only provides an OAuth 2 flow, not OIDC, Arctic will fail to process it (with a `Missing or invalid field: 'id_token'` message). See https://github.com/pilcrowonpaper/arctic/issues/299 Pangolin's own tag says `OAuth2/OIDC`, so I think it's reasonable to assume that all OAuth2 providers should work, not just ones that return an OIDC `id_token`. <img width="972" height="403" alt="Image" src="https://github.com/user-attachments/assets/31a16ac8-c0f7-4396-a228-89da439eb9f1" />
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label needs investigating potential bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1614
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?