starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #3183] OIDC - OpenId Connect authentication fail for application behind NGINX #2157

New issue
Open
opened 2026-02-26 07:34:16 +03:00 by kerem · 7 comments
kerem commented 2026-02-26 07:34:16 +03:00
Owner
Copy link

Originally created by @slysiou on GitHub (Sep 6, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3183

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    Yes
  • Are you sure you're not using someone else's docker image?
    Yes
  • Have you searched for similar issues (both open and closed)?
    Yes

Describe the bug
NGINX Proxy Manager is facing internet. I tried to use OpenID Connect for authentication behind it.
Internet --- NGINX proxy manager --- APISIX with openid-connect --- Web app
Keycloak is used for OIDC server.

I tried to use APISIX to manage the authentication (behind NGINX Proxy Manager) without success.
https://github.com/apache/apisix/issues/10149
We get to the conclusions that was a cookies issue with cross-site access.
But, keycloak cookie is set properly and I didn't find anywhere in NGINX Proxy Manager:
'set $session_cookie_samesite Strict;'
If I bypass NGINX Proxy Manager with ngrok tunnelling. Callback authentication works.

So, I tried with a small nodejs app directly behind the NGINX Proxy Manager to simplify the problem.
I get the same issue. Callback to the app can not be decoded properly, an information is missing.

Nginx Proxy Manager Version
v2.10.4

To Reproduce
This is the nodejs code:

const express = require('express')
const { auth } = require('express-openid-connect');
require('dotenv').config()

const path = require('path')

const app = express()
const port = process.env.NODEPORT

app.use(auth({
    issuerBaseURL: process.env.ISSUER_BASE_URL,
    clientID: process.env.CLIENT_ID,
    clientSecret: process.env.CLIENT_SECRET,
    baseURL: process.env.BASE_URL,
    secret: process.env.SECRET,
    authorizationParams: {
        response_type: 'code',
        audience: process.env.BASE_URL,
        scope: 'openid',
    },
    idpLogout: true,
    auth0Logout: true
  }))

app.use(express.static(path.join(__dirname, 'htdocs')))

app.get('/profile', async (req, res) => {
    res.send(`hello ${JSON.stringify(req.oidc.user, null, 2)}`);
});

app.listen(port, () => {
  console.log(`Server listening on port ${port}`)
})
  1. go to app external URL <BASE_URL>
  2. it is redirect to login page on keycloak
  3. when user credential are accepted, callback to:
    <BASE_URL>/callback?state=eyJyZXR1cm5UbyI6Ii8ifQ&session_state=a7fd9407-e2c3-474c-8625-117276ed6bc0&code=a10612fc-664f-41f5-aaa3-9900d38433eb.a7fd9407-e2c3-474c-8625-117276fc6bc0.ab703194-4f67-4d9e-8a26-eff7867dc310
    and page:
502 Bad Gateway
_______________
openresty

Operating System
Linux Debian

Originally created by @slysiou on GitHub (Sep 6, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3183 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? **Yes** - Are you sure you're not using someone else's docker image? **Yes** - Have you searched for similar issues (both open and closed)? **Yes** **Describe the bug** NGINX Proxy Manager is facing internet. I tried to use OpenID Connect for authentication behind it. `Internet --- NGINX proxy manager --- APISIX with openid-connect --- Web app` Keycloak is used for OIDC server. I tried to use APISIX to manage the authentication (behind NGINX Proxy Manager) without success. https://github.com/apache/apisix/issues/10149 We get to the conclusions that was a cookies issue with cross-site access. But, keycloak cookie is set properly and I didn't find anywhere in NGINX Proxy Manager: 'set $session_cookie_samesite Strict;' If I bypass NGINX Proxy Manager with ngrok tunnelling. Callback authentication works. So, I tried with a small nodejs app directly behind the NGINX Proxy Manager to simplify the problem. I get the same issue. Callback to the app can not be decoded properly, an information is missing. **Nginx Proxy Manager Version** `v2.10.4` **To Reproduce** This is the nodejs code: ```javascript const express = require('express') const { auth } = require('express-openid-connect'); require('dotenv').config() const path = require('path') const app = express() const port = process.env.NODEPORT app.use(auth({ issuerBaseURL: process.env.ISSUER_BASE_URL, clientID: process.env.CLIENT_ID, clientSecret: process.env.CLIENT_SECRET, baseURL: process.env.BASE_URL, secret: process.env.SECRET, authorizationParams: { response_type: 'code', audience: process.env.BASE_URL, scope: 'openid', }, idpLogout: true, auth0Logout: true })) app.use(express.static(path.join(__dirname, 'htdocs'))) app.get('/profile', async (req, res) => { res.send(`hello ${JSON.stringify(req.oidc.user, null, 2)}`); }); app.listen(port, () => { console.log(`Server listening on port ${port}`) }) ``` 1. go to app external URL <BASE_URL> 2. it is redirect to login page on keycloak 3. when user credential are accepted, callback to: `<BASE_URL>/callback?state=eyJyZXR1cm5UbyI6Ii8ifQ&session_state=a7fd9407-e2c3-474c-8625-117276ed6bc0&code=a10612fc-664f-41f5-aaa3-9900d38433eb.a7fd9407-e2c3-474c-8625-117276fc6bc0.ab703194-4f67-4d9e-8a26-eff7867dc310` and page: ``` 502 Bad Gateway _______________ openresty ``` **Operating System** Linux Debian
kerem commented 2026-02-26 07:34:16 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Apr 6, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2040852067 --> @github-actions[bot] commented on GitHub (Apr 6, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 07:34:16 +03:00
Author
Owner
Copy link

@kmdeveloping commented on GitHub (Nov 5, 2024):

I am also seeing this issue with AzureAd auth

Setup
Public -> NPM -> Blazor Docker App

502 bad gateway response when auth call back is returned at /signin-oidc

Some research suggests default payload size is 4kb and may need to be bumped up.

<!-- gh-comment-id:2457818784 --> @kmdeveloping commented on GitHub (Nov 5, 2024): I am also seeing this issue with AzureAd auth Setup Public -> NPM -> Blazor Docker App 502 bad gateway response when auth call back is returned at /signin-oidc Some research suggests default payload size is 4kb and may need to be bumped up.
kerem commented 2026-02-26 07:34:16 +03:00
Author
Owner
Copy link

@mreic commented on GitHub (Jun 26, 2025):

I am also seeing this issue with AzureAd auth

Setup Public -> NPM -> Blazor Docker App

502 bad gateway response when auth call back is returned at /signin-oidc

Some research suggests default payload size is 4kb and may need to be bumped up.

Could you solve that issue?
I ran into this also and cannot find any solution.

<!-- gh-comment-id:3008762053 --> @mreic commented on GitHub (Jun 26, 2025): > I am also seeing this issue with AzureAd auth > > Setup Public -> NPM -> Blazor Docker App > > 502 bad gateway response when auth call back is returned at /signin-oidc > > Some research suggests default payload size is 4kb and may need to be bumped up. Could you solve that issue? I ran into this also and cannot find any solution.
kerem commented 2026-02-26 07:34:17 +03:00
Author
Owner
Copy link

@kmdeveloping commented on GitHub (Jun 26, 2025):

I added this to the advanced config section to increase payload size.

Image

<!-- gh-comment-id:3009730863 --> @kmdeveloping commented on GitHub (Jun 26, 2025): I added this to the advanced config section to increase payload size. ![Image](https://github.com/user-attachments/assets/b7236ce5-6baa-4983-b8a4-bec25749d676)
kerem commented 2026-02-26 07:34:17 +03:00
Author
Owner
Copy link

@mreic commented on GitHub (Jun 27, 2025):

Okay thank you. I tried, and it solved the 502 error, but login over oauth did not work anyways

<!-- gh-comment-id:3011993846 --> @mreic commented on GitHub (Jun 27, 2025): Okay thank you. I tried, and it solved the 502 error, but login over oauth did not work anyways
kerem commented 2026-02-26 07:34:17 +03:00
Author
Owner
Copy link

@kmdeveloping commented on GitHub (Jun 27, 2025):

What is your app stack? Are you saying it did not work due to Nginx proxy manager? Maybe if you have logs or code to show, some can help get things moving.

<!-- gh-comment-id:3012790505 --> @kmdeveloping commented on GitHub (Jun 27, 2025): What is your app stack? Are you saying it did not work due to Nginx proxy manager? Maybe if you have logs or code to show, some can help get things moving.
kerem commented 2026-02-26 07:34:17 +03:00
Author
Owner
Copy link

@fapo85 commented on GitHub (Dec 8, 2025):

Here is a nice-to-copy version of the screenshot.
This solved the problem for me.
proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k;
My tech stack is a dotnet backend service and Authentik as an IDP.

<!-- gh-comment-id:3628360324 --> @fapo85 commented on GitHub (Dec 8, 2025): Here is a nice-to-copy version of the screenshot. This solved the problem for me. ` proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k; ` My tech stack is a dotnet backend service and Authentik as an IDP.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#2157
No description provided.