Bug Summary
Unable to login using OIDC (Pocket ID), no config changes
Description
Maybe this is related to #4044 ?
My Miniflux and Pocket ID docker instances are behind a reverse proxy (NPM Plus), use CloudFlare and have public FQDNs.
Recently, the ability to login using OIDC stopped working despite no configuration changes on any of the components.
Other services that use OIDC are working fine, but I'm stumped with Miniflux.
It looks to me like the reason is the IP mismatch between what Miniflux gets via the browser from OIDC, and itself in the backend:
level=WARN msg=Forbidden client_ip=77.1xx.xxx.xxx request.method=GET request.uri="/oauth2/oidc/callback?code=<redacted>&state=<redacted>&iss=https<redacted>" request.user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.4 Safari/605.1.15" response.status_code=403
URL: https://<redacted>/oauth2/oidc/callback?code=<redacted>&state=<redacted>&iss=https<redacted>
Status: 403
Source: Network
Address: 104.2x.xxx.xxx:443
Earlier I also saw the internal IP addresses being used, so I've added TRUSTED_REVERSE_PROXY_NETWORKS=172.17.0.0/16 to env.
I've tried adding the following headers to the nginx config, but the issue remains
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
Steps to Reproduce
- Miniflux and Pocket ID behind reverse proxy
- Configure Cloudflare
Expected Behavior
I should be able to login, as I was able to login before.
Actual Behavior
Alt-Svc: h3=":443"; ma=86400
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
cf-cache-status: DYNAMIC
cf-ray: 9ef3164498c1c231-TLV
Content-Length: 16
Content-Type: text/html; charset=utf-8
Date: Mon, 20 Apr 2026 09:22:52 GMT
nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
Priority: u=0,i
Referrer-Policy: no-referrer
Server: cloudflare
Server-Timing: cfCacheStatus;desc="DYNAMIC", cfEdge;dur=3,cfOrigin;dur=306, cfExtPri
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
x-dns-prefetch-control: off
X-Frame-Options: SAMEORIGIN
x-permitted-cross-domain-policies: none
Access Forbidden
Version
2.2.19@26d9195d
Browser
Safari, Chromium
Relevant Logs or Error Output
Additional Context
No response
Checklist
Bug Summary
Unable to login using OIDC (Pocket ID), no config changes
Description
Maybe this is related to #4044 ?
My Miniflux and Pocket ID docker instances are behind a reverse proxy (NPM Plus), use CloudFlare and have public FQDNs.
Recently, the ability to login using OIDC stopped working despite no configuration changes on any of the components.
Other services that use OIDC are working fine, but I'm stumped with Miniflux.
It looks to me like the reason is the IP mismatch between what Miniflux gets via the browser from OIDC, and itself in the backend:
Earlier I also saw the internal IP addresses being used, so I've added
TRUSTED_REVERSE_PROXY_NETWORKS=172.17.0.0/16to env.I've tried adding the following headers to the nginx config, but the issue remains
Steps to Reproduce
Expected Behavior
I should be able to login, as I was able to login before.
Actual Behavior
Version
2.2.19@26d9195d
Browser
Safari, Chromium
Relevant Logs or Error Output
Additional Context
No response
Checklist