github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-06 12:55:03 -05:00
Code Issues 541 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #1838] OIDC with PocketID not working #3963

New Issue
Closed
opened 2026-04-20 08:18:41 -05:00 by GiteaMirror · 9 comments
GiteaMirror commented 2026-04-20 08:18:41 -05:00
Owner
Copy Link

Originally created by @L0sWach0s on GitHub (Nov 9, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1838

Describe the Bug

Hey!

I try to use my PocketID as my OIDC provider, but it doesn't work.
I tried to update pangolin, update PocketID, use Authentik, delete the IDP and set it up again, nothing helps.

PocketID is on my HomeServer, connected via Pangolin (no authentication, it's reachable). The green checkmark at PocketID is also appearing.

Pangolin is not using newt, all my connections are "local" via Tailscale.

Attached the log.

Making login request to: http://localhost:3000/api/v1/auth/login
Making login request to: http://localhost:3000/api/v1/auth/login
Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/4/oidc/generate-url
Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/4/oidc/validate-callback
2025-11-09T21:08:58+00:00 [error]: Failed to send request
Stack: Error: Failed to send request
    at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24)
    at async validateOidcCallback (file:///app/dist/server.mjs:24361:20)
Image

Environment

  • OS Type & Version: Ubuntu 22.04
  • Pangolin Version: 1.10.x ---> 1.12.2
  • Gerbil Version: 1.0.0
  • Traefik Version: 3.6.0
  • Newt Version: -
  • Olm Version: -
  • tailscale: 1.90.6

To Reproduce

Each and every attempt is failing with the same error.

Expected Behavior

IDP can be used

Originally created by @L0sWach0s on GitHub (Nov 9, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1838 ### Describe the Bug Hey! I try to use my PocketID as my OIDC provider, but it doesn't work. I tried to update pangolin, update PocketID, use Authentik, delete the IDP and set it up again, nothing helps. PocketID is on my HomeServer, connected via Pangolin (no authentication, it's reachable). The green checkmark at PocketID is also appearing. Pangolin is not using newt, all my connections are "local" via Tailscale. Attached the log. ``` Making login request to: http://localhost:3000/api/v1/auth/login Making login request to: http://localhost:3000/api/v1/auth/login Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/4/oidc/generate-url Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/4/oidc/validate-callback 2025-11-09T21:08:58+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:24361:20) ``` <img width="442" height="243" alt="Image" src="https://github.com/user-attachments/assets/0e9efddf-20c6-4fa4-8e4a-949167264afb" /> ### Environment - OS Type & Version: Ubuntu 22.04 - Pangolin Version: 1.10.x ---> 1.12.2 - Gerbil Version: 1.0.0 - Traefik Version: 3.6.0 - Newt Version: - - Olm Version: - - tailscale: 1.90.6 ### To Reproduce Each and every attempt is failing with the same error. ### Expected Behavior IDP can be used
GiteaMirror added the stale label 2026-04-20 08:18:41 -05:00
GiteaMirror commented 2026-04-20 08:18:43 -05:00
Author
Owner
Copy Link

@shanelord01 commented on GitHub (Nov 10, 2025):

Try leaving everything set to your public Pocket ID URL's in Pangolin's Identity Provider setup for Pocket ID, except for your Token URL.

Use your local/internal/tailscale address. For me I have it on an accessible docker network : http://pocket-id:1411/api/oidc/token

This works for me and as long as your Pangolin can see your Pocket ID over Tailscale, it should hopefully work for you.

<!-- gh-comment-id:3511948178 --> @shanelord01 commented on GitHub (Nov 10, 2025): Try leaving everything set to your public Pocket ID URL's in Pangolin's Identity Provider setup for Pocket ID, except for your Token URL. Use your local/internal/tailscale address. For me I have it on an accessible docker network : http://pocket-id:1411/api/oidc/token This works for me and as long as your Pangolin can see your Pocket ID over Tailscale, it should hopefully work for you.
GiteaMirror commented 2026-04-20 08:18:44 -05:00
Author
Owner
Copy Link

@L0sWach0s commented on GitHub (Nov 10, 2025):

Internally I am using a reverse proxy (traefik), so I can’t use the port of my PocketID instance.
However: the url should work fine with pangolin or am I wrong?

<!-- gh-comment-id:3512019882 --> @L0sWach0s commented on GitHub (Nov 10, 2025): Internally I am using a reverse proxy (traefik), so I can’t use the port of my PocketID instance. However: the url should work fine with pangolin or am I wrong?
GiteaMirror commented 2026-04-20 08:18:44 -05:00
Author
Owner
Copy Link

@thelastblt commented on GitHub (Nov 11, 2025):

I'm having this same issue. Pocketid is accessible with Pangolin but results in a failed to send request.

<!-- gh-comment-id:3515184523 --> @thelastblt commented on GitHub (Nov 11, 2025): I'm having this same issue. Pocketid is accessible with Pangolin but results in a failed to send request.
GiteaMirror commented 2026-04-20 08:18:45 -05:00
Author
Owner
Copy Link

@L0sWach0s commented on GitHub (Nov 21, 2025):

Hey!

Just upgraded my pangolin Instance to Enterprise Edition, same issue.

<!-- gh-comment-id:3564602549 --> @L0sWach0s commented on GitHub (Nov 21, 2025): Hey! Just upgraded my pangolin Instance to Enterprise Edition, same issue.
GiteaMirror commented 2026-04-20 08:18:45 -05:00
Author
Owner
Copy Link

@miloschwartz commented on GitHub (Nov 22, 2025):

I've seen this come up a few times. Often this is an issue where Pangolin is unable to address Pocket ID server directly. Sometimes when people are running Pangolin and the IdP on the same host, they'll use localhost for the urls registered in the Idp. This can be problematic because Pangolin will resolve localhost to the Pangolin container itself. You'd need to make sure the hostname you use is addressable from within the Pangolin container. Can you double check this?

<!-- gh-comment-id:3566965591 --> @miloschwartz commented on GitHub (Nov 22, 2025): I've seen this come up a few times. Often this is an issue where Pangolin is unable to address Pocket ID server directly. Sometimes when people are running Pangolin and the IdP on the same host, they'll use localhost for the urls registered in the Idp. This can be problematic because Pangolin will resolve localhost to the Pangolin container itself. You'd need to make sure the hostname you use is addressable from within the Pangolin container. Can you double check this?
GiteaMirror commented 2026-04-20 08:18:46 -05:00
Author
Owner
Copy Link

@L0sWach0s commented on GitHub (Nov 22, 2025):

Hey!

PocketID and Pangolin are not running on the same machine. PocketID is connected via Tailscale.
First I checked inside of the container the connection to PocketID. The ping was sent to the same IP pangolin have. Then I changed the hosts file and added TAILSCALE_IP. pocketid.domain.tld and the ping was now sent to the Tailscale IP.

But even with this change, OIDC is still not working. The issue happens all the time.

Here the log from Pangolin:

2025-11-22T19:54:10+00:00 [info]: Started offline checker interval 2025-11-22T19:54:10+00:00 [info]: Started offline checker interval 2025-11-22T19:54:11+00:00 [warn]: Server admin exists. Setup token generation skipped. 2025-11-22T19:54:11+00:00 [info]: API server is running on http://localhost:3000 2025-11-22T19:54:11+00:00 [info]: Internal server is running on http://localhost:3001 2025-11-22T19:54:14+00:00 [info]: Next.js server is running on http://localhost:3002 Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/5/oidc/generate-url Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/5/oidc/validate-callback 2025-11-22T19:54:33+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:31171:20)

<!-- gh-comment-id:3567007067 --> @L0sWach0s commented on GitHub (Nov 22, 2025): Hey! PocketID and Pangolin are not running on the same machine. PocketID is connected via Tailscale. First I checked inside of the container the connection to PocketID. The ping was sent to the same IP pangolin have. Then I changed the hosts file and added TAILSCALE_IP. pocketid.domain.tld and the ping was now sent to the Tailscale IP. But even with this change, OIDC is still not working. The issue happens all the time. Here the log from Pangolin: ` 2025-11-22T19:54:10+00:00 [info]: Started offline checker interval 2025-11-22T19:54:10+00:00 [info]: Started offline checker interval 2025-11-22T19:54:11+00:00 [warn]: Server admin exists. Setup token generation skipped. 2025-11-22T19:54:11+00:00 [info]: API server is running on http://localhost:3000 2025-11-22T19:54:11+00:00 [info]: Internal server is running on http://localhost:3001 2025-11-22T19:54:14+00:00 [info]: Next.js server is running on http://localhost:3002 Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/5/oidc/generate-url Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/5/oidc/validate-callback 2025-11-22T19:54:33+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:31171:20) `
GiteaMirror commented 2026-04-20 08:18:46 -05:00
Author
Owner
Copy Link

@thelastblt commented on GitHub (Nov 23, 2025):

That unlocked it for me. TLDR it was DNS.

Had the pocketid publicly available through pangolin on my VPS but working locally and available through a local IP address. NSlookup worked and ping worked to the pocketid host. However the redirect failed.

Once I either allowed routes (subnet routing) on my VPS or added my tailscale IP to my localdns that unlocked it. Now pangolins is resolving the pocketid url.

<!-- gh-comment-id:3567463911 --> @thelastblt commented on GitHub (Nov 23, 2025): That unlocked it for me. TLDR it was DNS. Had the pocketid publicly available through pangolin on my VPS but working locally and available through a local IP address. NSlookup worked and ping worked to the pocketid host. However the redirect failed. Once I either allowed routes (subnet routing) on my VPS or added my tailscale IP to my localdns that unlocked it. Now pangolins is resolving the pocketid url.
GiteaMirror commented 2026-04-20 08:18:47 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Dec 8, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3623922080 --> @github-actions[bot] commented on GitHub (Dec 8, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-20 08:18:47 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Dec 22, 2025):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

<!-- gh-comment-id:3679809648 --> @github-actions[bot] commented on GitHub (Dec 22, 2025): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#3963
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?