[GH-ISSUE #1458] External access not working anymore after update to Pangolin 1.9.0 #1918

New Issue

Closed

opened 2026-04-16 08:47:00 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-16 08:47:00 -05:00

Owner

Copy Link

Originally created by @thimplicity on GitHub (Sep 14, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1458

Originally assigned to: @miloschwartz on GitHub.

Hi everyone,
I have the following setup:

• VPS with Docker, Pangolin and Pocket-ID for externally accessing a few homelab services
• Homelab with Docker, Pangolin and Pocket-ID for internal access to services

I run two Pangolin instances, one externally on a VPS and one internally. I only run one Pocket-ID instance externally that serves both Pangolin instances. Both instances and access worked well with Pocket-ID 1.10.0 and Pangolin 1.6.2. Then I updated the external Pangolin instance to 1.9.0 and since then the external access does not work anymore. I receive the following error message when trying to log into a service directly, e.g. into uptime kuma, from externally:

When I log into Pangolin (on VPS) directly, I receive this screen, which shows that the user is not connected to an organization. I have automatic user provisioning activated, which does not work anymore. Everytime, I create the user manually, it is gone after I tried to log in.

The docker logs are below:

Pangolin:

2025-09-12T07:08:12.306Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.307Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.307Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.310Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.311Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.312Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-14T12:38:28.762Z [info]: Checking Docker socket for site 1 with Newt ft8luaohkalmf 2025-09-14T12:38:28.775Z [info]: Handling Docker socket check response 2025-09-14T12:38:28.775Z [info]: Newt ID: ft8luaohkalmf, Site ID: 1 2025-09-14T12:38:28.775Z [info]: Docker socket availability for Newt ft8luaohkalmf: available=false, socketPath= 2025-09-14T12:38:28.775Z [warn]: Newt ft8luaohkalmf does not have Docker socket access 2025-09-14T12:38:28.775Z [info]: Handling Docker socket check response 2025-09-14T12:38:28.775Z [info]: Newt ID: ft8luaohkalmf, Site ID: 1 2025-09-14T12:38:28.775Z [info]: Docker socket availability for Newt ft8luaohkalmf: available=false, socketPath= 2025-09-14T12:38:28.775Z [warn]: Newt ft8luaohkalmf does not have Docker socket access

Pocket-ID:

time=2025-09-14T12:55:57.524Z level=INFO msg="Incoming request" app=pocket-id version=1.10.0 request.time=2025-09-14T12:55:57.524Z request.method=GET request.host=auth.... request.path=/.well-known/jwks.json request.query="" request.params=map[] request.route=/.well-known/jwks.json request.ip=136.... request.referer="" request.length=0 response.time=2025-09-14T12:55:57.524Z response.latency=21.66µs response.status=200 response.length=430 time=2025-09-14T12:56:57.584Z level=INFO msg="Incoming request" app=pocket-id version=1.10.0 request.time=2025-09-14T12:56:57.584Z request.method=GET request.host=auth.... request.path=/.well-known/openid-configuration request.query="" request.params=map[] request.route=/.well-known/openid-configuration request.ip=136.... request.referer="" request.length=0 response.time=2025-09-14T12:56:57.584Z response.latency=42.451µs response.status=200 response.length=1020 time=2025-09-14T12:56:57.618Z level=INFO msg="Incoming request" app=pocket-id version=1.10.0 request.time=2025-09-14T12:56:57.618Z request.method=GET request.host=auth.... request.path=/.well-known/jwks.json request.query="" request.params=map[] request.route=/.well-known/jwks.json request.ip=136.... request.referer="" request.length=0 response.time=2025-09-14T12:56:57.618Z response.latency=35.471µs response.status=200 response.length=430

Any help would be appreciated - the setup worked perfectly for me before the update

Originally created by @thimplicity on GitHub (Sep 14, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1458 Originally assigned to: @miloschwartz on GitHub. Hi everyone, I have the following setup: - VPS with Docker, Pangolin and Pocket-ID for externally accessing a few homelab services - Homelab with Docker, Pangolin and Pocket-ID for internal access to services I run two Pangolin instances, one externally on a VPS and one internally. I only run one Pocket-ID instance externally that serves both Pangolin instances. Both instances and access worked well with Pocket-ID 1.10.0 and Pangolin 1.6.2. Then I updated the external Pangolin instance to 1.9.0 and since then the external access does not work anymore. I receive the following error message when trying to log into a service directly, e.g. into uptime kuma, from externally: <img width="568" height="330" alt="Image" src="https://github.com/user-attachments/assets/df309349-302c-4f38-a505-7f907f75c37f" /> When I log into Pangolin (on VPS) directly, I receive this screen, which shows that the user is not connected to an organization. I have automatic user provisioning activated, which does not work anymore. Everytime, I create the user manually, it is gone after I tried to log in. <img width="256" height="441" alt="Image" src="https://github.com/user-attachments/assets/0d8831d7-fe04-4a1c-883f-c5181638ebab" /> The docker logs are below: Pangolin: `2025-09-12T07:08:12.306Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.307Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.307Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.310Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.311Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-12T07:08:12.312Z [info]: Exit node request successful: {"method":"POST","url":"http://gerbil:3003/peer","status":"Peer added successfully"} 2025-09-14T12:38:28.762Z [info]: Checking Docker socket for site 1 with Newt ft8luaohkalmf 2025-09-14T12:38:28.775Z [info]: Handling Docker socket check response 2025-09-14T12:38:28.775Z [info]: Newt ID: ft8luaohkalmf, Site ID: 1 2025-09-14T12:38:28.775Z [info]: Docker socket availability for Newt ft8luaohkalmf: available=false, socketPath= 2025-09-14T12:38:28.775Z [warn]: Newt ft8luaohkalmf does not have Docker socket access 2025-09-14T12:38:28.775Z [info]: Handling Docker socket check response 2025-09-14T12:38:28.775Z [info]: Newt ID: ft8luaohkalmf, Site ID: 1 2025-09-14T12:38:28.775Z [info]: Docker socket availability for Newt ft8luaohkalmf: available=false, socketPath= 2025-09-14T12:38:28.775Z [warn]: Newt ft8luaohkalmf does not have Docker socket access` Pocket-ID: `time=2025-09-14T12:55:57.524Z level=INFO msg="Incoming request" app=pocket-id version=1.10.0 request.time=2025-09-14T12:55:57.524Z request.method=GET request.host=auth.... request.path=/.well-known/jwks.json request.query="" request.params=map[] request.route=/.well-known/jwks.json request.ip=136.... request.referer="" request.length=0 response.time=2025-09-14T12:55:57.524Z response.latency=21.66µs response.status=200 response.length=430 time=2025-09-14T12:56:57.584Z level=INFO msg="Incoming request" app=pocket-id version=1.10.0 request.time=2025-09-14T12:56:57.584Z request.method=GET request.host=auth.... request.path=/.well-known/openid-configuration request.query="" request.params=map[] request.route=/.well-known/openid-configuration request.ip=136.... request.referer="" request.length=0 response.time=2025-09-14T12:56:57.584Z response.latency=42.451µs response.status=200 response.length=1020 time=2025-09-14T12:56:57.618Z level=INFO msg="Incoming request" app=pocket-id version=1.10.0 request.time=2025-09-14T12:56:57.618Z request.method=GET request.host=auth.... request.path=/.well-known/jwks.json request.query="" request.params=map[] request.route=/.well-known/jwks.json request.ip=136.... request.referer="" request.length=0 response.time=2025-09-14T12:56:57.618Z response.latency=35.471µs response.status=200 response.length=430` Any help would be appreciated - the setup worked perfectly for me before the update

GiteaMirror added the Look Into label 2026-04-16 08:47:00 -05:00

GiteaMirror closed this issue 2026-04-16 08:47:03 -05:00

GiteaMirror commented 2026-04-16 08:47:04 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Sep 21, 2025):

I have automatic user provisioning activated, which does not work anymore. Every time, I create the user manually, it is gone after I tried to log in.

With auto provisioning enabled, on each login it reruns a check on all the organization policies on the identity provider to determine if the user should have access to the organization/role. IT sounds like when you log in this check is happening and you're getting removed from your org because the policies aren't returning the expected org ID or role name.

Can you screenshot your policies (JMES path) from the edit IdP screen and I could take a look?

Also as a tip, if you have debug logs enabled, when you complete the OAuth flow, it should still print out the token response from Pocket ID (IdP) which you can use manually run the JMES Path expression against for debugging/checking purposes. Some docs on auto provisioning if you haven't see it already here.

<!-- gh-comment-id:3316087570 --> @miloschwartz commented on GitHub (Sep 21, 2025): > I have automatic user provisioning activated, which does not work anymore. Every time, I create the user manually, it is gone after I tried to log in. With auto provisioning enabled, on each login it reruns a check on all the organization policies on the identity provider to determine if the user should have access to the organization/role. IT sounds like when you log in this check is happening and you're getting removed from your org because the policies aren't returning the expected org ID or role name. Can you screenshot your policies (JMES path) from the edit IdP screen and I could take a look? Also as a tip, if you have debug logs enabled, when you complete the OAuth flow, it should still print out the token response from Pocket ID (IdP) which you can use manually run the JMES Path expression against for debugging/checking purposes. Some docs on auto provisioning if you haven't see it already [here](https://docs.digpangolin.com/manage/identity-providers/auto-provisioning#community-edition).

GiteaMirror commented 2026-04-16 08:47:05 -05:00

Author

Owner

Copy Link

@thimplicity commented on GitHub (Sep 22, 2025):

Hi @miloschwartz,
thanks for pointing me in the correct direction. Seems like I added a typo to the policies when debugging. Seems to work now that I corrected that. Thanks a lot!

<!-- gh-comment-id:3319480625 --> @thimplicity commented on GitHub (Sep 22, 2025): Hi @miloschwartz, thanks for pointing me in the correct direction. Seems like I added a typo to the policies when debugging. Seems to work now that I corrected that. Thanks a lot!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label Look Into

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#1918