Getting "State cookie missing" when tryin to uise OIDC login

[jfisbein]

I configured my dockman instance to use OIDC, similarly to other applications. but when I'm redirected back from the OIDC server to dockman I only see the message "State cookie missing".

What I'm doing wrong?

Extra info:

• Dockan latest version (3.1.0)
  • Running in internal host using docker and accesed by http.
• OIDC Server Pocket ID
  • Running in public domain with https certificate.

[RA341]

Mixing http and https can cause issues

try running dockman with a https domain as well

What are the logs in the server and the browser when the error occurs

[jfisbein]

Server logs:
ERR Unable to verify token error="record not found"

In the browser

[RA341]

what exactly is the OIDC url for config

it should be https not http

[jfisbein]

This is my OIDC configuration:

DOCKMAN_AUTH_ENABLE=true
DOCKMAN_AUTH_OIDC_ENABLE=true
DOCKMAN_AUTH_OIDC_ISSUER=https://auth.mydomain.top
DOCKMAN_AUTH_OIDC_CLIENT_ID=c******************d
DOCKMAN_AUTH_OIDC_CLIENT_SECRET=l*******************l
DOCKMAN_AUTH_OIDC_REDIRECT_URL=http://dockge.fritz.box:8866/api/auth/login/oidc/callback

(modified some data for privacy)

As you can see my oidc server is using https.
Am I missing any config parameter?

[RA341]

Try using https instead of http for DOCKMAN_AUTH_OIDC_REDIRECT_URL

[jfisbein]

My server is only locally accessible and does not have HTTPS. I use a similar configuration (HTTP, not HTTPS) for other services (Tugtainer, PGAdmin, ...), and I don't have any issues.
AFAIK, there's no limitation in the RFC about the OIDC callback url to have to be https.

[RA341]

found the reason; when using oidc, dockman sets a cookie that is https only and is needed to complete the flow

So on a http instance the cookie is never set.

So until I can add a flag to disable this, you can't use oidc on a http instance

[jfisbein]

Nice! Thanks for investigating! I will wait for the fixed version.

[RA341]

issue here #174 if you want to keep track

[RA341]

using the canary image (don't use this image on your existing setup, it may contain bugs)

ghcr.io/ra341/dockman:canary

and set

DOCKMAN_AUTH_OIDC_SECURE=false

see if it works

[jfisbein]

Using canary with DOCKMAN_AUTH_OIDC_SECURE=false works. Thank you very much.
No hurry, but do you happen to have a planned release date?

[RA341]

probably in 1 or 2 weeks