OIDC login button only works when "opened in new tab"

[Ra72xx]

I don't know if it this issue is related with some other fiddling I did or with the update to 0.17: Whatever, even with a new set up instance, I am no longer able to log in with OIDC (with the same configuration that worked before). Existing user sessions still work.

Browser console shows the following error when clicking on the OIDC provider as configured in PocketDB:

[Flomp]

Which OIDC provider are you using? Can you see any logs in the containers or in PocketBase?

I'm experiencing no issues with GitHub OIDC on the demo instance.

[Ra72xx]

Looking further into it, this might be a problem on my side, not related to my OIDC-provider Authentik: Whenever I open the Wanderer site from my external host, not even starting the login process, the browser console shows an error like 127.0.0.1:8090/api/realtime:1 GET http://127.0.0.1:8090/api/realtime net::ERR_CONNECTION_REFUSED This is the (internal) address of my Pocketbase instance the browser is trying to reach. It is also the content of the env variabe PUBLIC_POCKETBASE_URL, as you can change the 127.0.0.1 to localhost and see that the browser now tries to reach localhost. Reason: I did not want to expose the database to the internet, and thought it would be enough when wanderer-web is able to reach wanderer-db over the internal podman network. So IMHO it's wrong when the browser tries to reach some adress on localhost, which will obviously fail. Relevant env variables: ORIGIN=external.domain:port #in both web- and db-container PUBLIC_POCKETBASE_URL=http://127.0.0.1:8090 Disclaimer: I don't do the official setup, but did use a podman pod for all three services. So all three services can reach each other over localhost or 127.0.0.1 So - do I have to expose the database to the external internet?

[Ra72xx]

I reverted wanderer-web to tag 0.16.5 and the error with the browser trying to access the local pocketbase url is no longer there. I'm now also able to login again, both with OIDC and local - but this probably was not the real problem.

[Flomp]

Your browser trying to reach your pocketbase on localhost is likely not the cause of your OIDC issues. In v0.17.0, I added a client-side pocketbase client that tries to connect to the database to show real-time notifications. If you did not expose PocketBase this connection fails. But it should not affect any other functionality. On the demo instance, you will see the same logs.

[Ra72xx]

OK, I re-changed the title :-).

Situation: wanderer-web 0.16.5: everything works fine wanderer-web 0.17.0: The OIDC login button does not do anything back to 0.16.5: everything works again

My podman pods (without the search container, I think that one is OK):

::::::::::::::
wanderer.pod
::::::::::::::

[Unit]
Description=Podman pod: wanderer

[Service]
Restart=always

[Pod]
PodName=wanderer-pod
PublishPort=9070:3000 #WebUI, to be proxied by Caddy
PublishPort=9071:8090 #DB, only published in order to be able to access the db ui internally

[Install]
WantedBy=multi-user.target

::::::::::::::
wanderer-db.container
::::::::::::::
[Unit]
Description=Podman container: wanderer-db

[Service]
Restart=always

[Container]
Pod=wanderer.pod
AutoUpdate=registry
ContainerName=wanderer-db
EnvironmentFile=/srv/wanderer/env #the MEILI-stuff
Environment=POCKETBASE_ENCRYPTION_KEY=xxxx
Environment=ORIGIN=https://external.host:wandererport
Volume=/srv/wanderer/db:/pb_data
Image=docker.io/flomp/wanderer-db

::::::::::::::
wanderer-web.container
::::::::::::::
[Unit]
Description=Podman container: wanderer-web

[Service]
Restart=always

[Container]
Pod=wanderer.pod
AutoUpdate=registry
ContainerName=wanderer-web
Environment=ORIGIN=https://external.host:wandererport
Environment=BODY_SIZE_LIMIT=Infinity
Environment=PUBLIC_POCKETBASE_URL=http://127.0.0.1:8090
Environment=PUBLIC_PRIVATE_INSTANCE=true
Environment=PUBLIC_DISABLE_SIGNUP=true
Environment=UPLOAD_FOLDER=/autoimport
EnvironmentFile=/srv/wanderer/env #the MEILI-stuff
Volume=/srv/wanderer/db:/pb_data
Volume=/mnt/storage/import/Wanderer:/autoimport
Image=docker.io/flomp/wanderer-web

When going to the login page, the browser shows the following errors:

The login button is supposed to call the following url, which looks ok IMHO (and is structured the same in 0.16.5 and 0.17.0):

https://external.host:authentikport/application/o/authorize/?client_id=xxxx&code_challenge=xxxx&code_challenge_method=S256&response_type=code&scope=openid+email+profile&state=xxxx&redirect_uri=https://external.host:wandererport/login/redirect

Clicking this button seems to do nothing, however.

[Ra72xx]

OK, the solution is simple: Don't left-click on the OIDC provider link on the login page, but use right-click and "open in new tab", and , voila, the new tab starts the authentication flow... (I'm using Brave as browser.)

[Flomp]

Strange. Could look in the PocketBase logs in the dashboard to see if there are some clues there?

[Ra72xx]

The PocketBase logs show a lot of entries tagged "INFO", but no hint why left button does not work but "open in new tab" does.

[jvuitton]

I have the same problem (0.17.1) and I have seen that the OIDC login button is only working when PUBLIC_PRIVATE_INSTANCE is set to False. If set to True, the button doesn't work (unless right-click and open in a new tab).

[Flomp]

https://github.com/Flomp/wanderer/commit/68f36dbf0cff77f7f570d0c04bd9f1b1769f347d

This fixes the issue for private instances. But I'm not sure if this is not a separate issue.

[Ra72xx]

For my private instance this bug is still present with 0.17.2.

[Ra72xx]

Still a problem with 0.18.3

[Ra72xx]

I changed the title to reflect the problem correctly. However, I get the impression that development of this great little app has stalled :-( ?