OCID fails with Authentik - how to troubleshoot? #713

@t984447 commented on GitHub (Oct 9, 2025):

Could you try running with the log level set to debug and see if this message appears in the log?

pangolin/server/routers/idp/validateOidcCallback.ts

Lines 165 to 169 in b34c3db

logger.debug("State verified", {
urL: ensureTrailingSlash(existingIdp.idpOidcConfig.tokenUrl),
expectedState,
state
});

Logger set to debug and the message you refer to always comes before the error;

{
"level":"\u001b[34mdebug\u001b[39m",
"message":"GET /api/v1/user",
"timestamp":"2025-10-08T19:03:34.195Z"
}

{
"level":"\u001b[34mdebug\u001b[39m",
"message":"POST /api/v1/auth/idp/2/oidc/validate-callback",
"timestamp":"2025-10-08T19:03:34.277Z"
}

{
"expectedState":"wDRSowb_v3O1vywzxT1190jHHoaqggwoPg2Y0Ln0glk",
"level":"\u001b[34mdebug\u001b[39m",
"message":"State verified",
"state":"wDRSowb_v3O1vywzxT1190jHHoaqggwoPg2Y0Ln0glk",
"timestamp":"2025-10-08T19:03:34.280Z",
"urL":"https://auth.magic.com/application/o/token/"
}

{
"level":"\u001b[31merror\u001b[39m",
"message":"Failed to send request",
"stack":"Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:21681:20)",
"timestamp":"2025-10-08T19:03:34.302Z"
}

@t984447 commented on GitHub (Oct 9, 2025): > Could you try running with the log level set to `debug` and see if this message appears in the log? > > [pangolin/server/routers/idp/validateOidcCallback.ts](https://github.com/fosrl/pangolin/blob/b34c3db956868c304dc727752211fccbd4e6dc21/server/routers/idp/validateOidcCallback.ts#L165-L169) > > Lines 165 to 169 in [b34c3db](/fosrl/pangolin/commit/b34c3db956868c304dc727752211fccbd4e6dc21) > > logger.debug("State verified", { > urL: ensureTrailingSlash(existingIdp.idpOidcConfig.tokenUrl), > expectedState, > state > }); Logger set to debug and the message you refer to always comes before the error; ``` { "level":"\u001b[34mdebug\u001b[39m", "message":"GET /api/v1/user", "timestamp":"2025-10-08T19:03:34.195Z" } { "level":"\u001b[34mdebug\u001b[39m", "message":"POST /api/v1/auth/idp/2/oidc/validate-callback", "timestamp":"2025-10-08T19:03:34.277Z" } { "expectedState":"wDRSowb_v3O1vywzxT1190jHHoaqggwoPg2Y0Ln0glk", "level":"\u001b[34mdebug\u001b[39m", "message":"State verified", "state":"wDRSowb_v3O1vywzxT1190jHHoaqggwoPg2Y0Ln0glk", "timestamp":"2025-10-08T19:03:34.280Z", "urL":"https://auth.magic.com/application/o/token/" } { "level":"\u001b[31merror\u001b[39m", "message":"Failed to send request", "stack":"Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:21681:20)", "timestamp":"2025-10-08T19:03:34.302Z" } ```

GiteaMirror commented

@t984447 commented on GitHub (Oct 9, 2025):

Also tried updating to latest and I get the same error and behaviour.

Pangolin Version:

fosrl/pangolin:1.10.3

Traefik Version:

traefik:v3.5.3

@t984447 commented on GitHub (Oct 9, 2025): Also tried updating to latest and I get the same error and behaviour. ### Pangolin Version: fosrl/pangolin:1.10.3 ### Traefik Version: traefik:v3.5.3

GiteaMirror commented

b34c3db956/server/routers/idp/validateOidcCallback.ts (L171-L175)

@SigmaSquadron commented on GitHub (Oct 9, 2025):

The issue points to this call:

But I'm not sure why Arctic is failing to send the Oauth2 request. The upstream code hints at it not being able to access our Oauth2 providers, which is insane given the call immediately above works.

export async function sendTokenRequest(request: Request): Promise<OAuth2Tokens> {
  let response: Response;
  try {
    response = await fetch(request);
  } catch (e) {
    throw new ArcticFetchError(e);
  }

@SigmaSquadron commented on GitHub (Oct 9, 2025): The issue points to this call: https://github.com/fosrl/pangolin/blob/b34c3db956868c304dc727752211fccbd4e6dc21/server/routers/idp/validateOidcCallback.ts#L171-L175 But I'm not sure why Arctic is failing to send the Oauth2 request. The upstream code hints at it not being able to access our Oauth2 providers, which is insane given the call immediately above works. ```typescript export async function sendTokenRequest(request: Request): Promise<OAuth2Tokens> { let response: Response; try { response = await fetch(request); } catch (e) { throw new ArcticFetchError(e); } ```

GiteaMirror commented

@t984447 commented on GitHub (Oct 9, 2025):

Its nice to know I was not alone as I thought I was going crazy :)
At first I thought it was a matter of trust since I am using my own CA server in my LAN, but seeing as you get the same with LE I am starting to think there might be network issues.

However for some reason it feels like its not sending anything but fails directly. Wondering if I should try a TCP dump from my LXC running only Pangolin too se what/where it tries to send packages.

@t984447 commented on GitHub (Oct 9, 2025): Its nice to know I was not alone as I thought I was going crazy :) At first I thought it was a matter of trust since I am using my own CA server in my LAN, but seeing as you get the same with LE I am starting to think there might be network issues. However for some reason it feels like its not sending anything but fails directly. Wondering if I should try a TCP dump from my LXC running only Pangolin too se what/where it tries to send packages.

GiteaMirror commented

@SigmaSquadron commented on GitHub (Oct 9, 2025):

Might also want to try a bisection assuming this doesn't depend on your db's state.

@SigmaSquadron commented on GitHub (Oct 9, 2025): Might also want to try a bisection assuming this doesn't depend on your db's state.

GiteaMirror commented

@t984447 commented on GitHub (Oct 10, 2025):

Ok, Never mind the TCP capture as forgot the HTTPS deal and I do not have a capturing solution atm.

@SigmaSquadron what do you mean with bisection?
My current pangolin setup is expendable since I haven't started using it yet.

@t984447 commented on GitHub (Oct 10, 2025): Ok, Never mind the TCP capture as forgot the HTTPS deal and I do not have a capturing solution atm. @SigmaSquadron what do you mean with bisection? My current pangolin setup is expendable since I haven't started using it yet.

GiteaMirror commented

@SigmaSquadron commented on GitHub (Oct 10, 2025):

A bisection is a debugging step powered by git bisect. First, clone the Pangolin repository and set the first bisection commit to the last "known good" version, and set the first bad commit to the head of 1.10.2. Git will then move you to the commit exactly between the known good and known bad versions. On that commit, you can compile and run pangolin locally and set up OIDC. If it works, mark that commit as good and continue the bisection. If it doesn't work, mark that commit as a bad commit and continue until you find the first bad commit.

I can't try this with my infrastructure since Kanidm hates running outside of production environments, and I'd get unrelated errors. I hope authentik isn't allergic to ad-hoc testing like this.

@SigmaSquadron commented on GitHub (Oct 10, 2025): A bisection is a debugging step powered by `git bisect`. First, clone the Pangolin repository and set the first bisection commit to the last "known good" version, and set the first bad commit to the head of 1.10.2. Git will then move you to the commit exactly between the known good and known bad versions. On that commit, you can compile and run pangolin locally and set up OIDC. If it works, mark that commit as good and continue the bisection. If it doesn't work, mark that commit as a bad commit and continue until you find the first bad commit. I can't try this with my infrastructure since Kanidm hates running outside of production environments, and I'd get unrelated errors. I hope authentik isn't allergic to ad-hoc testing like this.

GiteaMirror commented

2025-11-13 12:08:52 -06:00

@t984447 commented on GitHub (Oct 13, 2025):

A bisection is a debugging step powered by git bisect. First, clone the Pangolin repository and set the first bisection commit to the last "known good" version, and set the first bad commit to the head of 1.10.2. Git will then move you to the commit exactly between the known good and known bad versions. On that commit, you can compile and run pangolin locally and set up OIDC. If it works, mark that commit as good and continue the bisection. If it doesn't work, mark that commit as a bad commit and continue until you find the first bad commit.

I can't try this with my infrastructure since Kanidm hates running outside of production environments, and I'd get unrelated errors. I hope authentik isn't allergic to ad-hoc testing like this.

ah, I understand. Problem for me is that I have never had a "good functional" version as this is my first setup.
I guess I could just backtrack the docker images and see what works... but not sure if its an developed issue or something that never worked.

@t984447 commented on GitHub (Oct 13, 2025): > A bisection is a debugging step powered by `git bisect`. First, clone the Pangolin repository and set the first bisection commit to the last "known good" version, and set the first bad commit to the head of 1.10.2. Git will then move you to the commit exactly between the known good and known bad versions. On that commit, you can compile and run pangolin locally and set up OIDC. If it works, mark that commit as good and continue the bisection. If it doesn't work, mark that commit as a bad commit and continue until you find the first bad commit. > > I can't try this with my infrastructure since Kanidm hates running outside of production environments, and I'd get unrelated errors. I hope authentik isn't allergic to ad-hoc testing like this. ah, I understand. Problem for me is that I have never had a "good functional" version as this is my first setup. I guess I could just backtrack the docker images and see what works... but not sure if its an developed issue or something that never worked.

GiteaMirror commented

@SigmaSquadron commented on GitHub (Oct 13, 2025):

OIDC did work because I was successfully using it since version 1.8.

@SigmaSquadron commented on GitHub (Oct 13, 2025): OIDC did work because I was successfully using it since version 1.8.

GiteaMirror commented

2025-11-13 12:08:52 -06:00

@t984447 commented on GitHub (Oct 14, 2025):

OIDC did work because I was successfully using it since version 1.8.

I tried running an older docker image, 1.9.0, and got the same issue. If I try 1.8.0 my setup will not even start with
my current setup. Seemingly there was a big change between 1.8-1.9 which were there are changes no related to the "config" folder (which I did try to swap out)

Only alternative left for me is to setup another LXC running specifically Pangolin 1.8.0 however I am not sure what the installer might have been changed since.

@t984447 commented on GitHub (Oct 14, 2025): > OIDC did work because I was successfully using it since version 1.8. I tried running an older docker image, 1.9.0, and got the same issue. If I try 1.8.0 my setup will not even start with my current setup. Seemingly there was a big change between 1.8-1.9 which were there are changes no related to the "config" folder (which I did try to swap out) Only alternative left for me is to setup another LXC running specifically Pangolin 1.8.0 however I am not sure what the installer might have been changed since.

GiteaMirror commented

2025-11-13 12:08:52 -06:00

@MotaRaja commented on GitHub (Oct 14, 2025):

I am also having this issue with Pocket-ID. getting a timeout error when trying to authenticate with SSO

@MotaRaja commented on GitHub (Oct 14, 2025): I am also having this issue with Pocket-ID. getting a timeout error when trying to authenticate with SSO

GiteaMirror commented

@Clementinox commented on GitHub (Oct 15, 2025):

I have authentik working using the following:

When creating a user, select the OICD provider and make sure under username you have the email of the authentik user.

Then under server admin, for the authentik provider, set identifier path to email

@Clementinox commented on GitHub (Oct 15, 2025): I have authentik working using the following: When creating a user, select the OICD provider and make sure under **_username_** you have the email of the authentik user. Then under server admin, for the authentik provider, set identifier path to **_email_**

GiteaMirror commented

@t984447 commented on GitHub (Oct 15, 2025):

I have authentik working using the following:

When creating a user, select the OICD provider and make sure under username you have the email of the authentik user.

Then under server admin, for the authentik provider, set identifier path to email

Unfortunate this does not make any difference for me, Ive tried already with a pre-made account.

Since I am using my own local selfsigned CA for most things I kind if suspect that the issue is related to either the CA not being trusted but there is no documentation of how to add custom CA truststore to anything.

For both Traefik and Pangolin I had to add custom lines in the docker-compose to replacing the ca-certificates file. Not sure if I missed anything. Another thing which bothers me is that all other applications I have locally works, such as Portainer, Zabbix or even OpenWebGUI. Most of which i had to add my own CA to a truststore for them to work.

Additionally I have noticed that Pangolin is the only application which does not ask for OpenID Configuration URL.
i.e https://auth.magic.com/application/o/pangolin/.well-known/openid-configuration

@t984447 commented on GitHub (Oct 15, 2025): > I have authentik working using the following: > > When creating a user, select the OICD provider and make sure under **_username_** you have the email of the authentik user. > > Then under server admin, for the authentik provider, set identifier path to **_email_** Unfortunate this does not make any difference for me, Ive tried already with a pre-made account. Since I am using my own local selfsigned CA for most things I kind if suspect that the issue is related to either the CA not being trusted but there is no documentation of how to add custom CA truststore to anything. For both Traefik and Pangolin I had to add custom lines in the docker-compose to replacing the ca-certificates file. Not sure if I missed anything. Another thing which bothers me is that all other applications I have locally works, such as Portainer, Zabbix or even OpenWebGUI. Most of which i had to add my own CA to a truststore for them to work. Additionally I have noticed that Pangolin is the only application which does not ask for _OpenID Configuration URL_. i.e https://auth.magic.com/application/o/pangolin/.well-known/openid-configuration

GiteaMirror commented

@t984447 commented on GitHub (Oct 15, 2025):

Reading more just now I notice the thread Cant delete user from pangolin that was created using OIDC via Authentik where the last comment by RJDavison mentions that the Autoprovisioning is not working as intended.

The main thing I am trying is auto-provisoning which sounds like a broken feature.

@t984447 commented on GitHub (Oct 15, 2025): Reading more just now I notice the thread [Cant delete user from pangolin that was created using OIDC via Authentik](https://github.com/fosrl/pangolin/issues/1381) where the last comment by RJDavison mentions that the Autoprovisioning is not working as intended. The main thing I am trying is auto-provisoning which sounds like a broken feature.

GiteaMirror commented

@SigmaSquadron commented on GitHub (Oct 18, 2025):

This seems to be unrelated to the issue OP and I are getting.

@SigmaSquadron commented on GitHub (Oct 18, 2025): This seems to be unrelated to the issue OP and I are getting.

GiteaMirror commented

2025-11-13 12:08:54 -06:00

@t984447 commented on GitHub (Oct 18, 2025):

I had some time earlier today and tried the new version, 1.11.0, of Pangolin but alas.. no dice. Same error :(
Next would be to try setting up a new environment with 1.8.0 and my Authentik setup.

@t984447 commented on GitHub (Oct 18, 2025): I had some time earlier today and tried the new version, 1.11.0, of Pangolin but alas.. no dice. Same error :( Next would be to try setting up a new environment with 1.8.0 and my Authentik setup. <img width="912" height="390" alt="Image" src="https://github.com/user-attachments/assets/f7857a20-2c95-4393-a908-feb8bef0afa7" />

GiteaMirror commented

@dx911xd commented on GitHub (Oct 21, 2025):

Similar setup without custom ca certs but op provider is Zitedal with how to provided by pangolin, oidc works fine till 1.10.3 but broken in 1.11.0 and 1.11.1, whether auto provision on or off, none of the newer versions work. Same login error on pangolin UI.

@dx911xd commented on GitHub (Oct 21, 2025): Similar setup without custom ca certs but op provider is Zitedal with how to provided by pangolin, oidc works fine till 1.10.3 but broken in 1.11.0 and 1.11.1, whether auto provision on or off, none of the newer versions work. Same login error on pangolin UI.

GiteaMirror commented

2025-11-13 12:08:54 -06:00

@shanelord01 commented on GitHub (Oct 22, 2025):

I've tried setting Pocket ID up on both my unraid (over a Newt tunnel) and on the same server as Pangolin (where I set it up as a local site). Followed this: https://docs.pangolin.net/manage/identity-providers/pocket-id and this https://pocket-id.org/docs/client-examples/pangolin

In both instances, when I try and login to Pangolin selecting Pocket ID, I get a "There was a problem connecting to Pocket ID. Please contact your administrator."

I have followed the steps exactly, ensuring all fields are correct.

I have turned off Pangolin auth for the proxied https://auth.mydomain.com/ address

Still cannot get this to work.

I can login to Pocket ID without issue via the proxied https://auth.mydomain.com/ directly.

UPDATE: Just tested setting up Grafana using OAuth as per here and it works perfectly.
https://pocket-id.org/docs/client-examples/grafana

Note this is if I use username/password or other auth other than Pocket ID for Pangolin first. As soon as I go through Pangolin auth using Pocket ID it fails. So, if I am already logged into Pangolin, the auth for Grafana works.

So it seems to be a Pangolin issue.

@shanelord01 commented on GitHub (Oct 22, 2025): I've tried setting Pocket ID up on both my unraid (over a Newt tunnel) and on the same server as Pangolin (where I set it up as a local site). Followed this: https://docs.pangolin.net/manage/identity-providers/pocket-id and this https://pocket-id.org/docs/client-examples/pangolin In both instances, when I try and login to Pangolin selecting Pocket ID, I get a "There was a problem connecting to Pocket ID. Please contact your administrator." I have followed the steps exactly, ensuring all fields are correct. I have turned off Pangolin auth for the proxied https://auth.mydomain.com/ address Still cannot get this to work. I can login to Pocket ID without issue via the proxied https://auth.mydomain.com/ directly. UPDATE: Just tested setting up Grafana using OAuth as per here and it works perfectly. https://pocket-id.org/docs/client-examples/grafana Note this is if I use username/password or other auth other than Pocket ID for Pangolin first. As soon as I go through Pangolin auth using Pocket ID it fails. So, if I am already logged into Pangolin, the auth for Grafana works. So it seems to be a Pangolin issue.

GiteaMirror commented

2025-11-13 12:08:54 -06:00

@shanelord01 commented on GitHub (Oct 22, 2025):

Logs show Pangolin is talking to localhost. Is this expected?

root@pangolin:~# docker logs -f pangolin | grep -i oidc
Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/4/oidc/generate-url
Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/4/oidc/validate-callback
    at async validateOidcCallback (file:///app/dist/server.mjs:22995:20)

@shanelord01 commented on GitHub (Oct 22, 2025): Logs show Pangolin is talking to localhost. Is this expected? ``` root@pangolin:~# docker logs -f pangolin | grep -i oidc Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/4/oidc/generate-url Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/4/oidc/validate-callback at async validateOidcCallback (file:///app/dist/server.mjs:22995:20) ```

GiteaMirror commented

@shanelord01 commented on GitHub (Oct 23, 2025):

OK. I have gotten this working, tested with Pocket ID set up on my Pangolin VPS.

TLDR;

Pangolin can't reach your public token URL (other OIDC apps you set can).

For Pangolin OIDC, use http://pocket-id:1411/api/oidc/token Token URL

For anything else use the one provided by Pocket ID for the Token URL.

Steps:

Added the Pocket ID docker compose section to my Pangolin docker-compose.yml so that it's on the same docker network and can talk directly:

  pocket-id:
    image: ghcr.io/pocket-id/pocket-id:v1
    container_name: pocket-id
    restart: unless-stopped
    env_file: ./config/pocket-id/.env
    ports:
      - 1411:1411
    volumes:
      - ./config/pocket-id:/app/data
      - ./config/maxmind:/maxmind:ro
    healthcheck:
      test: [ "CMD", "/app/pocket-id", "healthcheck" ]
      interval: 1m30s
      timeout: 5s
      retries: 2
      start_period: 10s
    networks:
      - default

Make sure your domain for Pocket ID is setup correctly and matching what you will set in step 3 below in your ./config/pocket-id/.env file:

APP_URL=https://pocketid.mydomain.com
INTERNAL_APP_URL=https://pocketid.mydomain.com
TRUST_PROXY=true

ie replace https://pocketid.mydomain.com with your actual address

Setup your resource for Pocket ID as a "local site" resource, no auth.
Setup Pocket ID by logging in to the setup address which will be the url you setup in step 3 with a trailing /setup, ie https://pocketid.mydomain.com/setup
Do the steps detailed here https://docs.pangolin.net/manage/identity-providers/pocket-id but importantly when you get to the step of copying the credentials etc, only use the Client ID, Client Secret and Authorization URL from Pocket ID, you need to use this Token URL in Pangolin otherwise it will fail:

http://pocket-id:1411/api/oidc/token

You ONLY need to use this address for your Pangolin OIDC - any other apps use the one provided by Pocket ID.

Everything should now work. Pangolin login via auth works.

You can also setup additional OIDC Clients (like immich, Grafana etc) from Pocket ID and they will also function without issues. Just ensure they use the Token URL provided by PocketID.

@shanelord01 commented on GitHub (Oct 23, 2025): OK. I have gotten this working, tested with Pocket ID set up on my Pangolin VPS. TLDR; Pangolin can't reach your public token URL (other OIDC apps you set can). For Pangolin OIDC, use `http://pocket-id:1411/api/oidc/token` Token URL For anything else use the one provided by Pocket ID for the Token URL. Steps: 1. Added the Pocket ID docker compose section to my Pangolin docker-compose.yml so that it's on the same docker network and can talk directly: ``` pocket-id: image: ghcr.io/pocket-id/pocket-id:v1 container_name: pocket-id restart: unless-stopped env_file: ./config/pocket-id/.env ports: - 1411:1411 volumes: - ./config/pocket-id:/app/data - ./config/maxmind:/maxmind:ro healthcheck: test: [ "CMD", "/app/pocket-id", "healthcheck" ] interval: 1m30s timeout: 5s retries: 2 start_period: 10s networks: - default ``` 2. Make sure your domain for Pocket ID is setup correctly and matching what you will set in step 3 below in your ./config/pocket-id/.env file: ``` APP_URL=https://pocketid.mydomain.com INTERNAL_APP_URL=https://pocketid.mydomain.com TRUST_PROXY=true ``` ie replace https://pocketid.mydomain.com with your actual address 3. Setup your resource for Pocket ID as a "local site" resource, no auth. 4. Setup Pocket ID by logging in to the setup address which will be the url you setup in step 3 with a trailing /setup, ie https://pocketid.mydomain.com/setup 5. Do the steps detailed here https://docs.pangolin.net/manage/identity-providers/pocket-id but importantly when you get to the step of copying the credentials etc, only use the Client ID, Client Secret and Authorization URL from Pocket ID, you need to use this Token URL in Pangolin otherwise it will fail: `http://pocket-id:1411/api/oidc/token` You ONLY need to use this address for your Pangolin OIDC - any other apps use the one provided by Pocket ID. Everything should now work. Pangolin login via auth works. You can also setup additional OIDC Clients (like immich, Grafana etc) from Pocket ID and they will also function without issues. Just ensure they use the Token URL provided by PocketID.

GiteaMirror commented

@L0sWach0s commented on GitHub (Oct 26, 2025):

Hey!

Same issue here with Pangolin 1.11.1

Setup:

no newt, "local" connection via Tailscale
Pocket ID (1.14.0) running on another site, connection via Pangolin is working fine.

Yesterday evening, the setup was fine, changed nothing and today it stopped working.

2025-10-26T10:12:56+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at processTicksAndRejections (node:internal/process/task_queues:105:5) at runNextTicks (node:internal/process/task_queues:69:3) at process.processImmediate (node:internal/timers:453:9) at process.callbackTrampoline (node:internal/async_hooks:130:17) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:23235:20) Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/generate-url Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/validate-callback 2025-10-26T10:13:23+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:23235:20)

Transfering my PocketID instance to the VPS is no option.

Any other ideas?

@L0sWach0s commented on GitHub (Oct 26, 2025): Hey! Same issue here with Pangolin 1.11.1 Setup: - no newt, "local" connection via Tailscale - Pocket ID (1.14.0) running on another site, connection via Pangolin is working fine. Yesterday evening, the setup was fine, changed nothing and today it stopped working. ` 2025-10-26T10:12:56+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at processTicksAndRejections (node:internal/process/task_queues:105:5) at runNextTicks (node:internal/process/task_queues:69:3) at process.processImmediate (node:internal/timers:453:9) at process.callbackTrampoline (node:internal/async_hooks:130:17) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:23235:20) Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/generate-url Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/validate-callback 2025-10-26T10:13:23+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:23235:20) ` Transfering my PocketID instance to the VPS is no option. Any other ideas?

GiteaMirror commented

@LoganRupe commented on GitHub (Oct 29, 2025):

Same issue here, glad I'm not alone, Pangolin 1.11.1 going to Authentik:

pangolin  | Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/2/oidc/generate-url
pangolin  | Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/2/oidc/validate-callback
pangolin  | 2025-10-29T04:36:03+00:00 [error]: Failed to send request
pangolin  | Stack: Error: Failed to send request
pangolin  |     at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15)
pangolin  |     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
pangolin  |     at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24)
pangolin  |     at async validateOidcCallback (file:///app/dist/server.mjs:23235:20)

@LoganRupe commented on GitHub (Oct 29, 2025): Same issue here, glad I'm not alone, Pangolin 1.11.1 going to Authentik: ``` pangolin | Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/2/oidc/generate-url pangolin | Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/2/oidc/validate-callback pangolin | 2025-10-29T04:36:03+00:00 [error]: Failed to send request pangolin | Stack: Error: Failed to send request pangolin | at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) pangolin | at process.processTicksAndRejections (node:internal/process/task_queues:105:5) pangolin | at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) pangolin | at async validateOidcCallback (file:///app/dist/server.mjs:23235:20) ```

GiteaMirror commented

@DenizSe commented on GitHub (Nov 2, 2025):

Same issue here, on 1.12.0 with Authentik 2025.10.0

| Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/generate-url
pangolin | Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/validate-callback
pangolin | 2025-11-02T21:42:54+00:00 [error]: Unexpected error response
pangolin | Stack: Error: Unexpected error response
pangolin | at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:74:11)
pangolin | at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
pangolin | at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24)
pangolin | at async validateOidcCallback (file:///app/dist/server.mjs:24314:20) {"status":403}

@DenizSe commented on GitHub (Nov 2, 2025): Same issue here, on 1.12.0 with Authentik 2025.10.0 | Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/generate-url pangolin | Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/validate-callback pangolin | 2025-11-02T21:42:54+00:00 [error]: Unexpected error response pangolin | Stack: Error: Unexpected error response pangolin | at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:74:11) pangolin | at process.processTicksAndRejections (node:internal/process/task_queues:105:5) pangolin | at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) pangolin | at async validateOidcCallback (file:///app/dist/server.mjs:24314:20) {"status":403}

GiteaMirror commented

@aweb-01 commented on GitHub (Nov 4, 2025):

Also getting this issue on 1.11.1 with Authentik 2025.10.0. It's relatively new I think, my configuration was working fine until recently.


Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/1/oidc/generate-url
Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/1/oidc/validate-callback
2025-11-04T09:42:38+00:00 [error]: Unexpected error response
Stack: Error: Unexpected error response
    at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:43:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24)
    at async validateOidcCallback (file:///app/dist/server.mjs:23235:20) {"status":401}

Edit: interestingly this issue does not occur if I configure it to use a different instance of Authentik not configured as a resource in Pangolin.

@aweb-01 commented on GitHub (Nov 4, 2025): Also getting this issue on 1.11.1 with Authentik 2025.10.0. It's relatively new I think, my configuration was working fine until recently. ``` Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/1/oidc/generate-url Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/1/oidc/validate-callback 2025-11-04T09:42:38+00:00 [error]: Unexpected error response Stack: Error: Unexpected error response at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:43:19) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:23235:20) {"status":401} ``` Edit: interestingly this issue does not occur if I configure it to use a different instance of Authentik not configured as a resource in Pangolin.

GiteaMirror commented

@dx911xd commented on GitHub (Nov 4, 2025):

Find one work around for zitadel, delete the OIDC provider with system admin (local) account and add OIDC provider back after the upgrade. beware OIDC call back URL changes on pangolin side.

@dx911xd commented on GitHub (Nov 4, 2025): Find one work around for zitadel, delete the OIDC provider with system admin (local) account and add OIDC provider back after the upgrade. beware OIDC call back URL changes on pangolin side.

GiteaMirror commented

@t984447 commented on GitHub (Nov 5, 2025):

So I've been Testing a bit with both Keycloak and now PocketID and all seems to fail. Mind you these are fresh and new installation connected to Pangolin wich all seems to fail at the same step.

Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/validate-callback
2025-11-05T19:55:44+00:00 [error]: Failed to send request
Stack: Error: Failed to send request
    at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24)
    at async validateOidcCallback (file:///app/dist/server.mjs:24317:20)

@t984447 commented on GitHub (Nov 5, 2025): So I've been Testing a bit with both Keycloak and now PocketID and all seems to fail. Mind you these are fresh and new installation connected to Pangolin wich all seems to fail at the same step. ``` Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/3/oidc/validate-callback 2025-11-05T19:55:44+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:24317:20) ```

GiteaMirror commented

@seanalewine commented on GitHub (Nov 8, 2025):

I'm having the same issue with Pangolin v1.11.1, Pocket ID v1.14.0. OIDC was working flawlessly until a recent update to Pangolin. Pangolin and Pocket ID are deployed on seperate VPS so no using the docker network as a workaround. Error message of "Failed to send request" in logs like everyone else. I tried deleting the OIDC provider from Pangolin and starting from scratch with no success.

@seanalewine commented on GitHub (Nov 8, 2025): I'm having the same issue with Pangolin v1.11.1, Pocket ID v1.14.0. OIDC was working flawlessly until a recent update to Pangolin. Pangolin and Pocket ID are deployed on seperate VPS so no using the docker network as a workaround. Error message of "Failed to send request" in logs like everyone else. I tried deleting the OIDC provider from Pangolin and starting from scratch with no success.

GiteaMirror commented

@t984447 commented on GitHub (Nov 10, 2025):

I am kind of lost here of how to troubleshoot.

There are even some other cases which seems to be the same issue but not sure, like the newest one being https://github.com/fosrl/pangolin/issues/1838

@t984447 commented on GitHub (Nov 10, 2025): I am kind of lost here of how to troubleshoot. There are even some other cases which seems to be the same issue but not sure, like the newest one being https://github.com/fosrl/pangolin/issues/1838

GiteaMirror commented

@L0sWach0s commented on GitHub (Nov 10, 2025):

I've opened a separate issue because this bug is not yet resolved.

The solution by @shanelord01 is a workaround that doesn't address the root cause,
and it doesn't work in my setup.

@L0sWach0s commented on GitHub (Nov 10, 2025): I've opened a separate issue because this bug is not yet resolved. The solution by @shanelord01 is a workaround that doesn't address the root cause, and it doesn't work in my setup.

GiteaMirror commented

@skengerz commented on GitHub (Nov 11, 2025):

I solved this by updating pangolin to the latest version that was numbered 1.12.2 i was previously on v1.11.1 as was defined in the downloaded docker compose file.

@skengerz commented on GitHub (Nov 11, 2025): I solved this by updating pangolin to the latest version that was numbered 1.12.2 i was previously on v1.11.1 as was defined in the downloaded docker compose file.

GiteaMirror commented

@aweb-01 commented on GitHub (Nov 11, 2025):

I updated to 1.12.2, same issue:

Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/1/oidc/generate-url
Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/1/oidc/validate-callback
2025-11-11T17:26:38+00:00 [error]: Failed to send request
Stack: Error: Failed to send request
    at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24)
    at async validateOidcCallback (file:///app/dist/server.mjs:24361:20)

@aweb-01 commented on GitHub (Nov 11, 2025): I updated to 1.12.2, same issue: ``` Making OIDC URL generation request to: http://localhost:3000/api/v1/auth/idp/1/oidc/generate-url Making OIDC callback validation request to: http://localhost:3000/api/v1/auth/idp/1/oidc/validate-callback 2025-11-11T17:26:38+00:00 [error]: Failed to send request Stack: Error: Failed to send request at sendTokenRequest (file:///app/node_modules/arctic/dist/request.js:35:15) at process.processTicksAndRejections (node:internal/process/task_queues:105:5) at async OAuth2Client.validateAuthorizationCode (file:///app/node_modules/arctic/dist/client.js:66:24) at async validateOidcCallback (file:///app/dist/server.mjs:24361:20) ```

GiteaMirror commented