oidc: Cross-site POST form submissions are forbidden #64
Comments
|
Can you test pr-67 and see if that fixes the issue? I've updated the CORS configuration to properly handle this scenario (hopefully) by allowing credentials and the necessary CORS headers. |
|
I've run OIDC with tailscale serve without any issues since day one though, so kind of interesting. Using auth0, so external provider however. |
I've just tested and the error is gone. However, I do not get logged in. I just get back to the login page. The only log entry I go through the flow is
|
|
I fired up a pocket-id instance to debug this further, and I believe I figured it out. pocket-id does not include token expiry times in their responses. This caused authentication to fail, as the session immediately expired! 10:41AM INFO Starting server address=[::]:8080 database=./data/dashbrr.db mode=debug
10:41AM DEBUG initializing auth handler issuer=https://pocketid.dusty-sofa.ts.net/
10:41AM DEBUG OIDC discovery successful issuer=https://pocketid.dusty-sofa.ts.net well_known_url=https://pocketid.dusty-sofa.ts.net/.well-known/openid-configuration
10:41AM DEBUG using discovered endpoints auth_url=https://pocketid.dusty-sofa.ts.net/authorize token_url=https://pocketid.dusty-sofa.ts.net/api/oidc/token
10:41AM INFO initiating login flow
10:41AM DEBUG received callback has_code=true state=a7383699b141a74756af8e6d892903d1
10:41AM DEBUG exchanging code for token
10:41AM DEBUG token exchange completed token_received=true
10:41AM DEBUG token had no expiry, assigned default 24 hours assigned_expiry=2024-11-28T10:41:21+01:00
10:41AM DEBUG session stored in cache expires_at=2024-11-28T10:41:21+01:00 session_key_prefix=oidc:session
10:41AM DEBUG Loading configuration from database display_name=Overseerr instance=overseerr-1
10:41AM DEBUG Loading configuration from database display_name=Tailscale instance=tailscale-1
10:41AM DEBUG Loading configuration from database display_name=Autobrr instance=autobrr-1
........ |
|
Is this an issue with pocket-id (I can file an issue there), or is this allowed by OIDC? And thanks for figuring it out! |
|
From what I understand, they are correctly sending expiry for id_token (mandatory), but not for access_token (optional), so this was more of a bug on our end I'd say. Thanks for bringing pocket-id to my attention by the way! I will start using this myself from now on 👍 |
Describe the bug
I am trying to configure dashbrr to use pocket-id hosted in the same kubernetes cluster for OIDC auth. Both pocket-id and dashbrr are behind an ingress proxy that handles https termination and load-balancing.
OIDC_ISSUERis set to the https URL of pocket-id (https://pid.example.com) andOIDC_REDIRECT_URLis set to the dashbrr callback URL (https://dashbrr.example.com/api/auth/callback). There is a dashbrr app in pocket-id andOIDC_CLIENT_IDandOIDC_CLIENT_SECRETare set to the correct values.When I try the flow, after I login from pocket-id and it redirects my browser to dashbrr, I see this error in the dashbrr log:
To Reproduce
Steps to reproduce the behavior:
Expected behavior
OIDC login should work.
Desktop (please complete the following information):
Operating System: Arch Linux
KDE Plasma Version: 6.2.3
KDE Frameworks Version: 6.8.0
Qt Version: 6.8.0
Kernel Version: 6.12.1-2-cachyos (64-bit)
Graphics Platform: Wayland
Processors: 32 × AMD Ryzen 9 7950X3D 16-Core Processor
Memory: 62.4 GiB of RAM
Graphics Processor: NVIDIA GeForce RTX 4090/PCIe/SSE2
Manufacturer: ASUS
The text was updated successfully, but these errors were encountered: