Skip to content

[Bug]: Getting "Access Forbidden" with Pocket-ID OIDC #4259

Description

@hxii

Bug Summary

Unable to login using OIDC (Pocket ID), no config changes

Description

Maybe this is related to #4044 ?

My Miniflux and Pocket ID docker instances are behind a reverse proxy (NPM Plus), use CloudFlare and have public FQDNs.
Recently, the ability to login using OIDC stopped working despite no configuration changes on any of the components.
Other services that use OIDC are working fine, but I'm stumped with Miniflux.

It looks to me like the reason is the IP mismatch between what Miniflux gets via the browser from OIDC, and itself in the backend:

level=WARN msg=Forbidden client_ip=77.1xx.xxx.xxx request.method=GET request.uri="/oauth2/oidc/callback?code=<redacted>&state=<redacted>&iss=https<redacted>" request.user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.4 Safari/605.1.15" response.status_code=403
URL: https://<redacted>/oauth2/oidc/callback?code=<redacted>&state=<redacted>&iss=https<redacted>
Status: 403
Source: Network
Address: 104.2x.xxx.xxx:443

Earlier I also saw the internal IP addresses being used, so I've added TRUSTED_REVERSE_PROXY_NETWORKS=172.17.0.0/16 to env.

I've tried adding the following headers to the nginx config, but the issue remains

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;

Steps to Reproduce

  1. Miniflux and Pocket ID behind reverse proxy
  2. Configure Cloudflare

Expected Behavior

I should be able to login, as I was able to login before.

Actual Behavior

Alt-Svc: h3=":443"; ma=86400
Cache-Control: no-cache, max-age=0, must-revalidate, no-store
cf-cache-status: DYNAMIC
cf-ray: 9ef3164498c1c231-TLV
Content-Length: 16
Content-Type: text/html; charset=utf-8
Date: Mon, 20 Apr 2026 09:22:52 GMT
nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
Priority: u=0,i
Referrer-Policy: no-referrer
Server: cloudflare
Server-Timing: cfCacheStatus;desc="DYNAMIC", cfEdge;dur=3,cfOrigin;dur=306, cfExtPri
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
x-dns-prefetch-control: off
X-Frame-Options: SAMEORIGIN
x-permitted-cross-domain-policies: none

Access Forbidden

Version

2.2.19@26d9195d

Browser

Safari, Chromium

Relevant Logs or Error Output

Additional Context

No response

Checklist

  • I have searched existing issues to ensure this bug hasn't been reported before.

Metadata

Metadata

Assignees

No one assigned

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions