[GH-ISSUE #1540] Infinite loop when logging in through IDP without required role #1948

New Issue

Closed

opened 2026-04-16 08:49:46 -05:00 by GiteaMirror · 6 comments

GiteaMirror commented 2026-04-16 08:49:46 -05:00

Owner

Copy Link

Originally created by @tim-van-dijkhuizen on GitHub (Sep 25, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1540

Originally assigned to: @miloschwartz on GitHub.

I have configured an IDP using Keycloak, enabled "Auto Provision Users" and created an organization policy that assigns roles based on the groups claim supplied by Keycloak. Then I enabled "Use Platform SSO" for a resource, allowed access to my Roles and enabled "Auto Login with External IDP".

When logging in with a user that has the right permissions it all works fine no problem. But when a user that does not have the required role tries to login they get stuck in a (seemingly) endless loop of:

1. Accessing resource exposed by Pangolin
2. Being redirected to the IDP and logging in, then back to Pangolin
3. Pangolin refuses the user and redirects back to the IDP
4. The IDP is already logged in and instantly redirects the user back to Pangolin
5. The cycle continues

Am I doing something wrong, or is this a bug? Would be great if Pangolin showed an access denied page.

Software info:
Pangolin: v1.9.4
Newt: 1.5.0

I probably should update but looking at the changelog this issue has not been resolved yet.

Originally created by @tim-van-dijkhuizen on GitHub (Sep 25, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1540 Originally assigned to: @miloschwartz on GitHub. I have configured an IDP using Keycloak, enabled "Auto Provision Users" and created an organization policy that assigns roles based on the groups claim supplied by Keycloak. Then I enabled "Use Platform SSO" for a resource, allowed access to my Roles and enabled "Auto Login with External IDP". When logging in with a user that has the right permissions it all works fine no problem. But when a user that does not have the required role tries to login they get stuck in a (seemingly) endless loop of: 1. Accessing resource exposed by Pangolin 2. Being redirected to the IDP and logging in, then back to Pangolin 3. Pangolin refuses the user and redirects back to the IDP 4. The IDP is already logged in and instantly redirects the user back to Pangolin 5. The cycle continues Am I doing something wrong, or is this a bug? Would be great if Pangolin showed an access denied page. **Software info:** Pangolin: v1.9.4 Newt: 1.5.0 I probably should update but looking at the changelog this issue has not been resolved yet.

GiteaMirror added the potential bugbug labels 2026-04-16 08:49:46 -05:00

GiteaMirror closed this issue 2026-04-16 08:49:48 -05:00

GiteaMirror commented 2026-04-16 08:49:49 -05:00

Author

Owner

Copy Link

@juanbstevens commented on GitHub (Sep 27, 2025):

I just came across this same issue today.

<!-- gh-comment-id:3341078304 --> @juanbstevens commented on GitHub (Sep 27, 2025): I just came across this same issue today.

GiteaMirror commented 2026-04-16 08:49:50 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Sep 27, 2025):

Looking into this!

<!-- gh-comment-id:3341941888 --> @miloschwartz commented on GitHub (Sep 27, 2025): Looking into this!

GiteaMirror commented 2026-04-16 08:49:51 -05:00

Author

Owner

Copy Link

@keonramses commented on GitHub (Sep 28, 2025):

Thank you for looking into this Milo.

<!-- gh-comment-id:3344288499 --> @keonramses commented on GitHub (Sep 28, 2025): Thank you for looking into this Milo.

GiteaMirror commented 2026-04-16 08:49:52 -05:00

Author

Owner

Copy Link

@RJDavison commented on GitHub (Sep 29, 2025):

Same problem with Authentik

<!-- gh-comment-id:3347655958 --> @RJDavison commented on GitHub (Sep 29, 2025): Same problem with Authentik

GiteaMirror commented 2026-04-16 08:49:53 -05:00

Author

Owner

Copy Link

@RJDavison commented on GitHub (Sep 29, 2025):

I've figured out why mine was looping. Seems that Pangolin isnt adding the autoprovisioned users to the correct org. Pangolin was putting the Authentik users into a competly differet userspace separate from any org.

I saw that Pangolin was giving the autoprovisioned users a Username that was a long string i.e. "250029b692de7ff504cfe7f435c8223013c64eacefd25ce8fe1fafa1c77f740e". I had to then take this string from "All Users" and is as the username in the org users for it to work. It would then convert the sting to the proper username.

<!-- gh-comment-id:3348304862 --> @RJDavison commented on GitHub (Sep 29, 2025): I've figured out why mine was looping. Seems that Pangolin isnt adding the autoprovisioned users to the correct org. Pangolin was putting the Authentik users into a competly differet userspace separate from any org. I saw that Pangolin was giving the autoprovisioned users a Username that was a long string i.e. "250029b692de7ff504cfe7f435c8223013c64eacefd25ce8fe1fafa1c77f740e". I had to then take this string from "All Users" and is as the username in the org users for it to work. It would then convert the sting to the proper username.

GiteaMirror commented 2026-04-16 08:49:53 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Oct 8, 2025):

Thanks everyone! I believe I fixed this problem and the fix will be released soon in 1.11.

<!-- gh-comment-id:3383223925 --> @miloschwartz commented on GitHub (Oct 8, 2025): Thanks everyone! I believe I fixed this problem and the fix will be released soon in 1.11.

GiteaMirror referenced this issue 2026-04-16 09:35:54 -05:00

[PR #1948] [CLOSED] Potential fix for Server-side request forgery #2776

GiteaMirror referenced this issue 2026-04-20 09:03:30 -05:00

[PR #1948] [CLOSED] Potential fix for Server-side request forgery #4719

GiteaMirror referenced this issue 2026-04-23 02:42:52 -05:00

[PR #1948] [CLOSED] Potential fix for Server-side request forgery #5663

GiteaMirror referenced this issue 2026-04-25 16:18:43 -05:00

[PR #1948] [CLOSED] Potential fix for Server-side request forgery #7578

GiteaMirror referenced this issue 2026-04-30 05:45:21 -05:00

[PR #1948] [CLOSED] Potential fix for Server-side request forgery #9557

GiteaMirror referenced this issue 2026-05-06 16:15:19 -05:00

[PR #1948] [CLOSED] Potential fix for Server-side request forgery #11576

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

s3

dependabot/npm_and_yarn/next-intl-4.9.2

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label bug potential bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#1948