🐛 Bug Report: Redirect URL can be changed while logging in #271

New Issue

AtHeartEngineer · 2025-07-08T08:44:09-04:00

AtHeartEngineer commented

2025-07-08 08:44:09 -04:00

Originally created by @alex3305 on 4/6/2025

Reproduction steps

I have setup SSO on my primary domain and subdomains. Authentication and authorization is done through Caddy Security where Pocket ID acts like an IdP. This setup works reasonably well. But sometimes when I want to login on one of my subdomains, let's say adguard.example.com, I actually get redirected to the sabNZBd API: sabnzbd.example.com/api?apikey=XVrONFGjv90jhatgUipC3FE7DGZZMwh6&mode=queue&output-json.

I suspect this happens because I have the SABconnect++ browser extension installed which triggers an authentication event while I'm logging in.

While setting up - and migrating from Dex - I read somewhere that a redirect parameter or cookie is used. I'm not 100% sure if it was somewhere in Pocket ID's docs or Caddy Security. But I suspect that this value is overwritten because of the login timing of Pocket ID. Why Pocket ID? Because when I used Dex login was practically instantaneous. Or because the browser plugin just cannot authenticate without user interaction.

Expected behavior

When I authenticate with Pocket ID that I be redirected to the expected redirect URL that I initiated.

Actual Behavior

That I get redirected to an URL that I did not expect because of a browser plugin.

Version and Environment

Caddy v2.9.1 with the latest Caddy Security
Pocket ID v0.45.0
Brave browser 1.77.95 Chromium: 135.0.7049.52 (Officiële build) (64-bits)
SABconnect++ (but also happened with Linkding when I added that service behind Caddy Auth)

Log Output

No response

*Originally created by @alex3305 on 4/6/2025* ### Reproduction steps I have setup SSO on my primary domain and subdomains. Authentication and authorization is done through Caddy Security where Pocket ID acts like an IdP. This setup works reasonably well. But sometimes when I want to login on one of my subdomains, let's say `adguard.example.com`, I actually get redirected to the sabNZBd API: `sabnzbd.example.com/api?apikey=XVrONFGjv90jhatgUipC3FE7DGZZMwh6&mode=queue&output-json`. I suspect this happens because I have the [SABconnect++](https://chromewebstore.google.com/detail/sabconnect++/okphadhbbjadcifjplhifajfacbkkbod) browser extension installed which triggers an authentication event while I'm logging in. While setting up - and migrating from [Dex](https://dexidp.io/) - I read somewhere that a redirect parameter or cookie is used. I'm not 100% sure if it was somewhere in Pocket ID's docs or Caddy Security. But I suspect that this value is overwritten because of the login timing of Pocket ID. Why Pocket ID? Because when I used Dex login was practically instantaneous. Or because the browser plugin just cannot authenticate without user interaction. ### Expected behavior When I authenticate with Pocket ID that I be redirected to the expected redirect URL that I initiated. ### Actual Behavior That I get redirected to an URL that I did not expect because of a browser plugin. ### Version and Environment - Caddy v2.9.1 with the latest Caddy Security - Pocket ID v0.45.0 - Brave browser 1.77.95 Chromium: 135.0.7049.52 (Officiële build) (64-bits) - SABconnect++ (but also happened with Linkding when I added that service behind Caddy Auth) ### Log Output _No response_

AtHeartEngineer closed this issue

2025-07-08 08:44:10 -04:00

AtHeartEngineer added the bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug labels 2025-07-08 08:44:11 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/pocket-id#271