github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-08 05:39:49 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #816] Potential bug: Pangolin auto-deletes a user created via PocketID #6445

New Issue
Closed
opened 2026-04-25 15:19:28 -05:00 by GiteaMirror · 4 comments
GiteaMirror commented 2026-04-25 15:19:28 -05:00
Owner
Copy Link

Originally created by @kmanwar89 on GitHub (Jun 1, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/816

Hi,

I'm working to migrate all auth to PocketID + Pangolin. While testing tonight, I kept running into a situation where I could get through PocketID's auth, but then wouldn't have access to a resource in Pangolin. What I discovered after lots of iterations was that the user I created in Pangolin, per the documentation, it would get deleted after I logged in through PocketID. I would then have to manually re-create the user in Pangolin to restore access.

I'd like to avoid posting a screencast exposing my personal setup, but I'd be happy to do a screen share over Webex/Zoom/Discord if one of the developers wants to reach out and see the issue live. Until then, here's the steps I followed to reproduce this issue - I'll do my best to make sure I didn't leave out any details. This operates under the assumption the Pangolin --> PocketID integration is already created, and "auto-provision of users" is turned on

  • NOTE: I think the auto-provision might be one of the causes, as this doesn't appear to actually work, and the PocketID documentation states it's only supported in Pangolin Professional, but the Pangolin documentation states there is feature parity, so that's a bit confusing. More work TBD
  1. Create an external user in Pangolin, called "testuser" with PocketID as the OIDC provider. Set the role to "Members"
  2. Do the following three things in PocketID:
    a. Create the same user in PocketID; same username, test@123.com as an email, for instance
    b. Create a user group for non-admin users called "users". Assign the user created in 2a. to this group
    c. Generate a login code for the test user. Open an incognito/private browsing window, and use this to login to the PocketID auth panel. Add a passkey (I'm using a Yubikey on a Linux laptop as a test machine).

At this point, a separate, matching user exists in both systems

  1. In Pangolin, make sure there is a test resource that has authentication enabled, and has access allowed to the "Members" role set in step 1 above.
  2. On the test machine, close out all browsers, and open a new incognito browser. Navigate to any resource in Pangolin that is secured by authentication, and proceed through the login flow using PocketID + passkey. At this point, I had my Pangolin window open on the Access Control --> Users tab on my main machine to watch its status.
  3. Upon successfully completing the auth flow through PocketID to a resource in Pangolin, refresh the page with Pangolin's users page; the testuser created will be missing!

Now that I've written this all out, I'll test the theory if the auto-provision of users is what is actually breaking it, but I wanted to bring this to the dev's attention. Thank you all for the work you've been doing, and hopefully the multiple issues I've raised will help continue to improve the product. Thank you!

Edit I disabled the auto-provision setting in the Server Admin/IdP and it indeed stopped deleting the created user. Is this a bug, or intended behavior?

Originally created by @kmanwar89 on GitHub (Jun 1, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/816 Hi, I'm working to migrate all auth to PocketID + Pangolin. While testing tonight, I kept running into a situation where I could get through PocketID's auth, but then wouldn't have access to a resource in Pangolin. What I discovered after lots of iterations was that the user I created in Pangolin, per the [documentation](https://docs.fossorial.io/Pangolin/Identity%20Providers/Providers/pocket-id), it would get deleted after I logged in through PocketID. I would then have to manually re-create the user in Pangolin to restore access. I'd like to avoid posting a screencast exposing my personal setup, but I'd be happy to do a screen share over Webex/Zoom/Discord if one of the developers wants to reach out and see the issue live. Until then, here's the steps I followed to reproduce this issue - I'll do my best to make sure I didn't leave out any details. This operates under the assumption the Pangolin --> PocketID integration is already created, and "auto-provision of users" is turned **on** * NOTE: I think the auto-provision *might* be one of the causes, as this doesn't appear to actually work, and the PocketID [documentation](https://pocket-id.org/docs/client-examples/pangolin) states it's only supported in Pangolin Professional, but the Pangolin documentation states there is feature parity, so that's a bit confusing. More work TBD 1. Create an external user in Pangolin, called "testuser" with PocketID as the OIDC provider. Set the role to "Members" 2. Do the following three things in PocketID: a. Create the same user in PocketID; same username, test@123.com as an email, for instance b. Create a user group for non-admin users called "users". Assign the user created in 2a. to this group c. Generate a login code for the test user. Open an incognito/private browsing window, and use this to login to the PocketID auth panel. Add a passkey (I'm using a Yubikey on a Linux laptop as a test machine). **At this point, a separate, matching user exists in both systems** 4. In Pangolin, make sure there is a test resource that has authentication enabled, and has access allowed to the "Members" role set in step 1 above. 5. On the test machine, close out all browsers, and open a new incognito browser. Navigate to any resource in Pangolin that is secured by authentication, and proceed through the login flow using PocketID + passkey. At this point, I had my Pangolin window open on the Access Control --> Users tab on my main machine to watch its status. 6. Upon successfully completing the auth flow through PocketID to a resource in Pangolin, refresh the page with Pangolin's users page; the testuser created will be *missing*! Now that I've written this all out, I'll test the theory if the auto-provision of users is what is actually breaking it, but I wanted to bring this to the dev's attention. Thank you all for the work you've been doing, and hopefully the multiple issues I've raised will help continue to improve the product. Thank you! *Edit* I disabled the auto-provision setting in the Server Admin/IdP and it indeed stopped deleting the created user. Is this a bug, or intended behavior?
GiteaMirror added the stale label 2026-04-25 15:19:28 -05:00
GiteaMirror commented 2026-04-25 15:19:30 -05:00
Author
Owner
Copy Link

@OfficeRat commented on GitHub (Jun 2, 2025):

I was testing PocketID with pangolin and had the same issue. Now im still wrapping my brain around oidc so im no wizard but after checking the logs i see this:
Role name not found in the ID token {"roleName":null}

I'm guessing its having some problems with assigning the correct role during auto provisioning. Though i might have messed up the config.

Image

<!-- gh-comment-id:2932223037 --> @OfficeRat commented on GitHub (Jun 2, 2025): I was testing PocketID with pangolin and had the same issue. Now im still wrapping my brain around oidc so im no wizard but after checking the logs i see this: `Role name not found in the ID token {"roleName":null}` I'm guessing its having some problems with assigning the correct role during auto provisioning. Though i might have messed up the config. ![Image](https://github.com/user-attachments/assets/81525d74-d165-4f5d-bcf8-17c10978c523)
GiteaMirror commented 2026-04-25 15:19:30 -05:00
Author
Owner
Copy Link

@jonzey231 commented on GitHub (Jun 2, 2025):

Hi,

I'm working to migrate all auth to PocketID + Pangolin. While testing tonight, I kept running into a situation where I could get through PocketID's auth, but then wouldn't have access to a resource in Pangolin. What I discovered after lots of iterations was that the user I created in Pangolin, per the documentation, it would get deleted after I logged in through PocketID. I would then have to manually re-create the user in Pangolin to restore access.

I'd like to avoid posting a screencast exposing my personal setup, but I'd be happy to do a screen share over Webex/Zoom/Discord if one of the developers wants to reach out and see the issue live. Until then, here's the steps I followed to reproduce this issue - I'll do my best to make sure I didn't leave out any details. This operates under the assumption the Pangolin --> PocketID integration is already created, and "auto-provision of users" is turned on

  • NOTE: I think the auto-provision might be one of the causes, as this doesn't appear to actually work, and the PocketID documentation states it's only supported in Pangolin Professional, but the Pangolin documentation states there is feature parity, so that's a bit confusing. More work TBD
  1. Create an external user in Pangolin, called "testuser" with PocketID as the OIDC provider. Set the role to "Members"
  2. Do the following three things in PocketID:
    a. Create the same user in PocketID; same username, test@123.com as an email, for instance
    b. Create a user group for non-admin users called "users". Assign the user created in 2a. to this group
    c. Generate a login code for the test user. Open an incognito/private browsing window, and use this to login to the PocketID auth panel. Add a passkey (I'm using a Yubikey on a Linux laptop as a test machine).

At this point, a separate, matching user exists in both systems

  1. In Pangolin, make sure there is a test resource that has authentication enabled, and has access allowed to the "Members" role set in step 1 above.
  2. On the test machine, close out all browsers, and open a new incognito browser. Navigate to any resource in Pangolin that is secured by authentication, and proceed through the login flow using PocketID + passkey. At this point, I had my Pangolin window open on the Access Control --> Users tab on my main machine to watch its status.
  3. Upon successfully completing the auth flow through PocketID to a resource in Pangolin, refresh the page with Pangolin's users page; the testuser created will be missing!

Now that I've written this all out, I'll test the theory if the auto-provision of users is what is actually breaking it, but I wanted to bring this to the dev's attention. Thank you all for the work you've been doing, and hopefully the multiple issues I've raised will help continue to improve the product. Thank you!

Edit I disabled the auto-provision setting in the Server Admin/IdP and it indeed stopped deleting the created user. Is this a bug, or intended behavior?

See this issue: https://github.com/fosrl/pangolin/issues/737

<!-- gh-comment-id:2932343436 --> @jonzey231 commented on GitHub (Jun 2, 2025): > Hi, > > I'm working to migrate all auth to PocketID + Pangolin. While testing tonight, I kept running into a situation where I could get through PocketID's auth, but then wouldn't have access to a resource in Pangolin. What I discovered after lots of iterations was that the user I created in Pangolin, per the [documentation](https://docs.fossorial.io/Pangolin/Identity%20Providers/Providers/pocket-id), it would get deleted after I logged in through PocketID. I would then have to manually re-create the user in Pangolin to restore access. > > I'd like to avoid posting a screencast exposing my personal setup, but I'd be happy to do a screen share over Webex/Zoom/Discord if one of the developers wants to reach out and see the issue live. Until then, here's the steps I followed to reproduce this issue - I'll do my best to make sure I didn't leave out any details. This operates under the assumption the Pangolin --> PocketID integration is already created, and "auto-provision of users" is turned **on** > > * NOTE: I think the auto-provision _might_ be one of the causes, as this doesn't appear to actually work, and the PocketID [documentation](https://pocket-id.org/docs/client-examples/pangolin) states it's only supported in Pangolin Professional, but the Pangolin documentation states there is feature parity, so that's a bit confusing. More work TBD > > 1. Create an external user in Pangolin, called "testuser" with PocketID as the OIDC provider. Set the role to "Members" > 2. Do the following three things in PocketID: > a. Create the same user in PocketID; same username, [test@123.com](mailto:test@123.com) as an email, for instance > b. Create a user group for non-admin users called "users". Assign the user created in 2a. to this group > c. Generate a login code for the test user. Open an incognito/private browsing window, and use this to login to the PocketID auth panel. Add a passkey (I'm using a Yubikey on a Linux laptop as a test machine). > > **At this point, a separate, matching user exists in both systems** > > 4. In Pangolin, make sure there is a test resource that has authentication enabled, and has access allowed to the "Members" role set in step 1 above. > 5. On the test machine, close out all browsers, and open a new incognito browser. Navigate to any resource in Pangolin that is secured by authentication, and proceed through the login flow using PocketID + passkey. At this point, I had my Pangolin window open on the Access Control --> Users tab on my main machine to watch its status. > 6. Upon successfully completing the auth flow through PocketID to a resource in Pangolin, refresh the page with Pangolin's users page; the testuser created will be _missing_! > > Now that I've written this all out, I'll test the theory if the auto-provision of users is what is actually breaking it, but I wanted to bring this to the dev's attention. Thank you all for the work you've been doing, and hopefully the multiple issues I've raised will help continue to improve the product. Thank you! > > _Edit_ I disabled the auto-provision setting in the Server Admin/IdP and it indeed stopped deleting the created user. Is this a bug, or intended behavior? See this issue: https://github.com/fosrl/pangolin/issues/737
GiteaMirror commented 2026-04-25 15:19:31 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jun 17, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:2978548069 --> @github-actions[bot] commented on GitHub (Jun 17, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-25 15:19:32 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jul 1, 2025):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

<!-- gh-comment-id:3021270264 --> @github-actions[bot] commented on GitHub (Jul 1, 2025): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#6445
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?