[GH-ISSUE #1990] OIDC Cookie Domain Scoping Issue (follow-up to #1740) #2052

New Issue

Closed

opened 2026-04-16 09:00:34 -05:00 by GiteaMirror · 4 comments

GiteaMirror commented 2026-04-16 09:00:34 -05:00

Owner

Copy Link

Originally created by @88plug on GitHub (Dec 6, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1990

Describe the Bug

OIDC cookies are set with incorrect domain scope, breaking authentication across subdomains using default configuration.

This is a follow-up to #1740 which was closed as stale/not planned, but the issue persists with default settings.

When using OIDC authentication (e.g., Authentik, Keycloak) with resources on subdomains - with NO custom cookie configuration:

1. p_oidc_state cookie is set with Domain=resource1.example.com instead of .example.com
2. After the OIDC provider redirects back to the Pangolin base URL (pangolin.example.com), the browser refuses to send the cookie due to domain mismatch
3. SameSite=lax (the default) further blocks the cookie on cross-site redirects
4. p_session_token is also scoped to exact hostname, causing redirect loops

This occurs out-of-the-box with a standard multi-subdomain setup. No non-default cookie settings were configured. The root cause is that Pangolin's default cookie domain scoping doesn't account for
subdomain usage, which is the primary use case for a reverse proxy.

Environment

• OS Type & Version: Ubuntu 24.04 LTS
• Pangolin Version: 1.12.x (latest)
• Gerbil Version: latest
• Traefik Version: v3.4
• Newt Version: N/A
• Olm Version: N/A
• Configuration: DEFAULT (no custom cookie settings)

To Reproduce

1. Install Pangolin using default configuration (official installer or docker-compose)
2. Configure an OIDC provider (e.g., Authentik) - standard setup per docs
3. Create a resource accessible at resource1.example.com
4. Pangolin dashboard at pangolin.example.com
5. Do NOT modify any cookie-related settings - use defaults
6. Attempt to access resource1.example.com which requires OIDC auth
7. Observe that p_oidc_state cookie is set with Domain=resource1.example.com
8. OIDC provider authenticates and redirects to pangolin.example.com
9. Browser does not send the cookie (domain mismatch + SameSite=lax)
10. Authentication fails or enters a redirect loop

No workarounds or custom configuration applied - this is purely default behavior.

Expected Behavior

With default configuration, OIDC-related cookies (p_oidc_state, p_session_token) should be set with first-level domain scope:

• Domain=.example.com (note the leading dot)
• This allows cookies to be shared across all subdomains by default
• SameSite attribute should be appropriate for OIDC redirect flows out-of-the-box

A reverse proxy serving multiple subdomains is the standard use case - cookie scoping should work correctly without requiring manual intervention or third-party plugins.

Current workaround requires Traefik's proxy-cookie plugin to rewrite cookie domains, but this should not be necessary with sensible defaults.

Originally created by @88plug on GitHub (Dec 6, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1990 ### Describe the Bug OIDC cookies are set with incorrect domain scope, breaking authentication across subdomains using default configuration. This is a follow-up to #1740 which was closed as stale/not planned, but the issue persists with default settings. When using OIDC authentication (e.g., Authentik, Keycloak) with resources on subdomains - with NO custom cookie configuration: 1. `p_oidc_state` cookie is set with `Domain=resource1.example.com` instead of `.example.com` 2. After the OIDC provider redirects back to the Pangolin base URL (`pangolin.example.com`), the browser refuses to send the cookie due to domain mismatch 3. `SameSite=lax` (the default) further blocks the cookie on cross-site redirects 4. `p_session_token` is also scoped to exact hostname, causing redirect loops This occurs out-of-the-box with a standard multi-subdomain setup. No non-default cookie settings were configured. The root cause is that Pangolin's default cookie domain scoping doesn't account for subdomain usage, which is the primary use case for a reverse proxy. ### Environment - OS Type & Version: Ubuntu 24.04 LTS - Pangolin Version: 1.12.x (latest) - Gerbil Version: latest - Traefik Version: v3.4 - Newt Version: N/A - Olm Version: N/A - Configuration: DEFAULT (no custom cookie settings) ### To Reproduce 1. Install Pangolin using default configuration (official installer or docker-compose) 2. Configure an OIDC provider (e.g., Authentik) - standard setup per docs 3. Create a resource accessible at `resource1.example.com` 4. Pangolin dashboard at `pangolin.example.com` 5. Do NOT modify any cookie-related settings - use defaults 6. Attempt to access `resource1.example.com` which requires OIDC auth 7. Observe that `p_oidc_state` cookie is set with `Domain=resource1.example.com` 8. OIDC provider authenticates and redirects to `pangolin.example.com` 9. Browser does not send the cookie (domain mismatch + SameSite=lax) 10. Authentication fails or enters a redirect loop No workarounds or custom configuration applied - this is purely default behavior. ### Expected Behavior With default configuration, OIDC-related cookies (`p_oidc_state`, `p_session_token`) should be set with first-level domain scope: - `Domain=.example.com` (note the leading dot) - This allows cookies to be shared across all subdomains by default - `SameSite` attribute should be appropriate for OIDC redirect flows out-of-the-box A reverse proxy serving multiple subdomains is the standard use case - cookie scoping should work correctly without requiring manual intervention or third-party plugins. Current workaround requires Traefik's proxy-cookie plugin to rewrite cookie domains, but this should not be necessary with sensible defaults.

GiteaMirror added the stale label 2026-04-16 09:00:34 -05:00

GiteaMirror closed this issue 2026-04-16 09:00:34 -05:00

GiteaMirror commented 2026-04-16 09:00:35 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Dec 6, 2025):

Hey, thanks for posting these issues. I also see the other one you opened. There may be something funky going on, so I will try to reproduce.

However, I do want to clarify one thing about how the system works because it's not super obvious.

The root cause: p_session_token cookie is scoped to the exact hostname (Domain=example.com) instead of the wildcard (Domain=.example.com)

The session tokens are always supposed to be set on the root domain (dashboard_url from the config). The magic actually happens in Badger for handling the resource sessions.

You visit a resource, badger doesn't see a resource session cookie at resource1.example.com, so it redirects you to dashboard url to complete auth. You complete auth on dashboard url. Now dashboard url has a session cookie at dashboard.example.com. It checks if you should actually have access to the resource you were trying to visit based on the session (roles, etc). If allowed, it generates a "transfer token" which is just a short lived token that is appended to the url upon redirect back to the resource, like resource1.example.com/?transfer=abc123. Badger sees the transfer token, and exchanges it for a full session token. Badger, which is inside the reverse proxy serving the domain of the resource, sets the cookie at resource1.example.com, and lets you through.

Therefore, cookies are always set at exact domains. This complicated mess is required because we support the case where your dashboard url is on a different base domain than one or more resources, in which case you can't set cross domain cookies securely. This is kind of like a super basic internal only OAuth2 flow.

The p_oidc_state cookie thing you brought up sounds like it could be an issue. The state cookie should be set on the domain that initiates and completes the OIDC flow because it contains state info (OIDC state + redirect + etc). I'll take a look too see if I can reproduce this and fix.

<!-- gh-comment-id:3620637404 --> @miloschwartz commented on GitHub (Dec 6, 2025): Hey, thanks for posting these issues. I also see the other one you opened. There may be something funky going on, so I will try to reproduce. However, I do want to clarify one thing about how the system works because it's not super obvious. > The root cause: p_session_token cookie is scoped to the exact hostname (Domain=example.com) instead of the wildcard (Domain=.example.com) The session tokens are always supposed to be set on the root domain (`dashboard_url` from the config). The magic actually happens in Badger for handling the resource sessions. You visit a resource, badger doesn't see a resource session cookie at `resource1.example.com`, so it redirects you to dashboard url to complete auth. You complete auth on dashboard url. Now dashboard url has a session cookie at `dashboard.example.com`. It checks if you should actually have access to the resource you were trying to visit based on the session (roles, etc). If allowed, it generates a "transfer token" which is just a short lived token that is appended to the url upon redirect back to the resource, like `resource1.example.com/?transfer=abc123`. Badger sees the transfer token, and exchanges it for a full session token. Badger, which is inside the reverse proxy serving the domain of the resource, sets the cookie at `resource1.example.com`, and lets you through. Therefore, cookies are always set at exact domains. This complicated mess is required because we support the case where your dashboard url is on a different base domain than one or more resources, in which case you can't set cross domain cookies securely. This is kind of like a super basic internal only OAuth2 flow. The `p_oidc_state` cookie thing you brought up sounds like it could be an issue. The state cookie should be set on the domain that initiates and completes the OIDC flow because it contains state info (OIDC state + redirect + etc). I'll take a look too see if I can reproduce this and fix.

GiteaMirror commented 2026-04-16 09:00:35 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Dec 6, 2025):

@88plug Can you update to 1.12.x and let me know if you still encounter a redirect issue? I was unable to reproduce this. I setup an IdP and used it as the login method when redirected to the login page from an unauthenticated resource.

<!-- gh-comment-id:3620819206 --> @miloschwartz commented on GitHub (Dec 6, 2025): @88plug Can you update to 1.12.x and let me know if you still encounter a redirect issue? I was unable to reproduce this. I setup an IdP and used it as the login method when redirected to the login page from an unauthenticated resource.

GiteaMirror commented 2026-04-16 09:00:35 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Dec 21, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3678242834 --> @github-actions[bot] commented on GitHub (Dec 21, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented 2026-04-16 09:00:35 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Jan 4, 2026):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

<!-- gh-comment-id:3707481313 --> @github-actions[bot] commented on GitHub (Jan 4, 2026): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label stale

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#2052