github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-06 03:27:53 -05:00
Code Issues 690 Packages Projects Releases 11 Wiki Activity

[GH-ISSUE #2144] Conflict between OIDC auth and webhook proxy #6556

New Issue
Closed
opened 2026-04-20 17:09:07 -05:00 by GiteaMirror · 4 comments
GiteaMirror commented 2026-04-20 17:09:07 -05:00
Owner
Copy Link

Originally created by @rhclayto on GitHub (Jan 24, 2026).
Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/2144

Description

  • webhooks.proxyurl & webhooks.proxypassword are set properly in the configuration.
  • Create a webhook.
  • Run the webhook. It successfully sends, passes through the proxy, & is received at the webhook endpoint.
  • Try to browse to another parge in Vikunja. Receive the below log messages in vikunja & webhook proxy logs.
  • Log out of Vikunja. Return to the login page. Try to log in again, an 'Internal Server Error' message replaces rhe 'Authenticating' message on the login screen, accompanied by the same vikunja & webhook proxy log messages, & login fails.
  • Comment out the proxy information in the configuration, disabling it, & refresh the page, OIDC log-in works again, & the log messages are gone.

Logs in vikunja:

Jan 24 02:37:00 apps vikunja[95852]: time=2026-01-24T02:37:00.127-07:00 level=WARN msg="OpenID Connect provider 'Example SSO' not available (attempt 1/3), retrying in 1s: Get \"https://auth.example.com/.well-known/openid-configuration\": Request rejected by proxy"
Jan 24 02:37:01 apps vikunja[95852]: time=2026-01-24T02:37:01.129-07:00 level=WARN msg="OpenID Connect provider 'Example SSO' not available (attempt 2/3), retrying in 2s: Get \"https://auth.example.com/.well-known/openid-configuration\": Request rejected by proxy"
Jan 24 02:37:03 apps vikunja[95852]: time=2026-01-24T02:37:03.130-07:00 level=ERROR msg="OpenID Connect provider 'Example SSO' not available after 3 attempts: Get \"https://auth.example.com/.well-known/openid-configuration\": Request rejected by proxy"
Jan 24 02:37:03 apps vikunja[95852]: time=2026-01-24T02:37:03.130-07:00 level=ERROR msg="Get \"https://auth.example.com/.well-known/openid-configuration\": Request rejected by proxy"

Logs in the webhook proxy:

Jan 24 02:37:00 apps mole[95867]: time="2026-01-24T02:37:00-07:00" level=warning msg=CANONICAL-PROXY-DECISION allow=false content_length=87 decision_reason="rule has enforce policy" dns_lookup_time_ms=0 enforce_would_deny=true id=d5q95f4qdn9bbttim630 inbound_remote_addr="172.16.30.109:48716" project=webhooks proxy_type=connect requested_host="auth.example.com:443" role=vikunja start_time="2026-01-24 09:37:00.126685086 +0000 UTC" trace_id=
Jan 24 02:37:01 apps mole[95867]: time="2026-01-24T02:37:01-07:00" level=warning msg=CANONICAL-PROXY-DECISION allow=false content_length=87 decision_reason="rule has enforce policy" dns_lookup_time_ms=0 enforce_would_deny=true id=d5q95fcqdn9bbttim63g inbound_remote_addr="172.16.30.109:48730" project=webhooks proxy_type=connect requested_host="auth.example.com:443" role=vikunja start_time="2026-01-24 09:37:01.128825465 +0000 UTC" trace_id=
Jan 24 02:37:03 apps mole[95867]: time="2026-01-24T02:37:03-07:00" level=warning msg=CANONICAL-PROXY-DECISION allow=false content_length=87 decision_reason="rule has enforce policy" dns_lookup_time_ms=0 enforce_would_deny=true id=d5q95fsqdn9bbttim640 inbound_remote_addr="172.16.30.109:48732" project=webhooks proxy_type=connect requested_host="auth.example.com:443" role=vikunja start_time="2026-01-24 09:37:03.130059364 +0000 UTC" trace_id=

auth.openid.providers.exampleprovider.forceuserinfo: true (maybe not relevant).

pkg/modules/auth/openid/providers.go has err = provider.setOicdProvider(), which calls the function of that name in pkg/modules/auth/openid/openid.go

That function has

err = utils.RetryWithBackoff(fmt.Sprintf("OpenID Connect provider '%s'", p.Name), func() error {
  var providerErr error
  p.openIDProvider, providerErr = oidc.NewProvider(context.Background(), p.OriginalAuthURL)
  return providerErr
})

NewProvider is from the imported github.com/coreos/go-oidc/v3/oidc, here: 35b8e031bc/oidc/oidc.go (L238)

It has

wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration"
req, err := http.NewRequest("GET", wellKnown, nil)

This is where the HTTP request that generates the log warnings above is issued. So for whatever reason the HTTP request is trying to use the webhook proxy. (Could it be the context.Background() passed in to NewProvider()?)

In pkg/models/webhooks.go, getWebhookHTTPClient() has this:

client.Transport = &http.Transport{
  Proxy: http.ProxyURL(proxyURL),
  ProxyConnectHeader: http.Header{
    "Proxy-Authorization": []string{"Basic " + base64.StdEncoding.EncodeToString([]byte("vikunja:"+config.WebhooksProxyPassword.GetString()))},
    "User-Agent":          []string{"Vikunja/" + version.Version},
  },
}

Does this somehow get pulled into oidc.NewProvider(context.Background(), p.OriginalAuthURL)?

Vikunja Version

Github main branch

Browser and version

Firefox & Chromium, both most recent update

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

Image

Originally created by @rhclayto on GitHub (Jan 24, 2026). Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/2144 ### Description - webhooks.proxyurl & webhooks.proxypassword are set properly in the configuration. - Create a webhook. - Run the webhook. It successfully sends, passes through the proxy, & is received at the webhook endpoint. - Try to browse to another parge in Vikunja. Receive the below log messages in vikunja & webhook proxy logs. - Log out of Vikunja. Return to the login page. Try to log in again, an 'Internal Server Error' message replaces rhe 'Authenticating' message on the login screen, accompanied by the same vikunja & webhook proxy log messages, & login fails. - Comment out the proxy information in the configuration, disabling it, & refresh the page, OIDC log-in works again, & the log messages are gone. Logs in vikunja: ``` Jan 24 02:37:00 apps vikunja[95852]: time=2026-01-24T02:37:00.127-07:00 level=WARN msg="OpenID Connect provider 'Example SSO' not available (attempt 1/3), retrying in 1s: Get \"https://auth.example.com/.well-known/openid-configuration\": Request rejected by proxy" Jan 24 02:37:01 apps vikunja[95852]: time=2026-01-24T02:37:01.129-07:00 level=WARN msg="OpenID Connect provider 'Example SSO' not available (attempt 2/3), retrying in 2s: Get \"https://auth.example.com/.well-known/openid-configuration\": Request rejected by proxy" Jan 24 02:37:03 apps vikunja[95852]: time=2026-01-24T02:37:03.130-07:00 level=ERROR msg="OpenID Connect provider 'Example SSO' not available after 3 attempts: Get \"https://auth.example.com/.well-known/openid-configuration\": Request rejected by proxy" Jan 24 02:37:03 apps vikunja[95852]: time=2026-01-24T02:37:03.130-07:00 level=ERROR msg="Get \"https://auth.example.com/.well-known/openid-configuration\": Request rejected by proxy" ``` Logs in the webhook proxy: ``` Jan 24 02:37:00 apps mole[95867]: time="2026-01-24T02:37:00-07:00" level=warning msg=CANONICAL-PROXY-DECISION allow=false content_length=87 decision_reason="rule has enforce policy" dns_lookup_time_ms=0 enforce_would_deny=true id=d5q95f4qdn9bbttim630 inbound_remote_addr="172.16.30.109:48716" project=webhooks proxy_type=connect requested_host="auth.example.com:443" role=vikunja start_time="2026-01-24 09:37:00.126685086 +0000 UTC" trace_id= Jan 24 02:37:01 apps mole[95867]: time="2026-01-24T02:37:01-07:00" level=warning msg=CANONICAL-PROXY-DECISION allow=false content_length=87 decision_reason="rule has enforce policy" dns_lookup_time_ms=0 enforce_would_deny=true id=d5q95fcqdn9bbttim63g inbound_remote_addr="172.16.30.109:48730" project=webhooks proxy_type=connect requested_host="auth.example.com:443" role=vikunja start_time="2026-01-24 09:37:01.128825465 +0000 UTC" trace_id= Jan 24 02:37:03 apps mole[95867]: time="2026-01-24T02:37:03-07:00" level=warning msg=CANONICAL-PROXY-DECISION allow=false content_length=87 decision_reason="rule has enforce policy" dns_lookup_time_ms=0 enforce_would_deny=true id=d5q95fsqdn9bbttim640 inbound_remote_addr="172.16.30.109:48732" project=webhooks proxy_type=connect requested_host="auth.example.com:443" role=vikunja start_time="2026-01-24 09:37:03.130059364 +0000 UTC" trace_id= ``` `auth.openid.providers.exampleprovider.forceuserinfo: true` (maybe not relevant). pkg/modules/auth/openid/providers.go has `err = provider.setOicdProvider()`, which calls the function of that name in pkg/modules/auth/openid/openid.go That function has ```go err = utils.RetryWithBackoff(fmt.Sprintf("OpenID Connect provider '%s'", p.Name), func() error { var providerErr error p.openIDProvider, providerErr = oidc.NewProvider(context.Background(), p.OriginalAuthURL) return providerErr }) ``` NewProvider is from the imported github.com/coreos/go-oidc/v3/oidc, here: https://github.com/coreos/go-oidc/blob/35b8e031bcac7fed73b96b09d42e6e233a6e6562/oidc/oidc.go#L238 It has ```go wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration" req, err := http.NewRequest("GET", wellKnown, nil) ``` This is where the HTTP request that generates the log warnings above is issued. So for whatever reason the HTTP request is trying to use the webhook proxy. (Could it be the `context.Background()` passed in to `NewProvider()`?) In pkg/models/webhooks.go, `getWebhookHTTPClient()` has this: ``` client.Transport = &http.Transport{ Proxy: http.ProxyURL(proxyURL), ProxyConnectHeader: http.Header{ "Proxy-Authorization": []string{"Basic " + base64.StdEncoding.EncodeToString([]byte("vikunja:"+config.WebhooksProxyPassword.GetString()))}, "User-Agent": []string{"Vikunja/" + version.Version}, }, } ``` Does this somehow get pulled into `oidc.NewProvider(context.Background(), p.OriginalAuthURL)`? ### Vikunja Version Github main branch ### Browser and version Firefox & Chromium, both most recent update ### Can you reproduce the bug on the Vikunja demo site? No ### Screenshots ![Image](https://github.com/user-attachments/assets/cdf20804-5366-4c83-9599-b1891cd939b3)
GiteaMirror commented 2026-04-20 17:09:09 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Jan 24, 2026):

The webhook proxy config is not used explicitly in any other communication. It might get pulled in by accident but that would be a bug.

Can you verify that it works without the proxy?

<!-- gh-comment-id:3794545026 --> @kolaente commented on GitHub (Jan 24, 2026): The webhook proxy config is not used explicitly in any other communication. It might get pulled in by accident but that would be a bug. Can you verify that it works without the proxy?
GiteaMirror commented 2026-04-20 17:09:10 -05:00
Author
Owner
Copy Link

@rhclayto commented on GitHub (Jan 24, 2026):

Yes, it works well with the proxy not being configured or used. It's strange.

<!-- gh-comment-id:3794546972 --> @rhclayto commented on GitHub (Jan 24, 2026): Yes, it works well with the proxy not being configured or used. It's strange.
GiteaMirror commented 2026-04-20 17:09:11 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Jan 24, 2026):

It seems like this is due to all requests using the same client: https://github.com/go-vikunja/vikunja/pull/2145

<!-- gh-comment-id:3794577837 --> @kolaente commented on GitHub (Jan 24, 2026): It seems like this is due to all requests using the same client: https://github.com/go-vikunja/vikunja/pull/2145
GiteaMirror commented 2026-04-20 17:09:12 -05:00
Author
Owner
Copy Link

@vikunja-bot-app[bot] commented on GitHub (Jan 24, 2026):

This issue has been fixed in #2145, please check with the next unstable build (should be ready for deployment in ~30min, also on the demo).

<!-- gh-comment-id:3794590850 --> @vikunja-bot-app[bot] commented on GitHub (Jan 24, 2026): This issue has been fixed in #2145, please check with the next unstable build (should be ready for deployment in ~30min, also on [the demo](https://try.vikunja.io)).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/api
area/attachments
area/auth
area/avatars
area/backup-restore
area/caldav
area/calendar-view
area/comments
area/config
area/database
area/desktop
area/docker
area/email
area/favorites
area/filters
area/frontend
area/gantt
area/i18n
area/import-export
area/internal-code
area/kanban
area/labels
area/list-view
area/mobile
area/notifications
area/permissions
area/projects
area/pwa
area/recurring-tasks
area/reminders
area/search
area/shortcuts
area/subtasks
area/sync
area/table-view
area/task-editor
area/task-metadata
area/task-relations
area/teams
area/theming
area/time-tracking
area/typesense
area/views
area/webhooks
bug
changes requested
concern/accessibility
concern/performance
concern/regression
concern/ux
confirmed
db/mysql
dependencies
enhancement
good first issue
help wanted
integration/inbound
integration/outbound
kind/bug
kind/feature
needs reproduction
pull-request
Mirrored from GitHub Pull Request
 question
security
support
upstream issue
waiting for reply
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vikunja#6556
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?