[GH-ISSUE #662] Can't Log in with OIDC #515

New issue

Open

opened 2026-02-25 21:32:05 +03:00 by kerem · 1 comment

kerem commented

2026-02-25 21:32:05 +03:00

Owner

Originally created by @AtomicDude on GitHub (May 31, 2025).
Original GitHub issue: https://github.com/ciur/papermerge/issues/662

Originally assigned to: @ciur on GitHub.

Description
Hello, I've followed the instructions on setting up OIDC authentication, but no matter what I do the button "Login with OIDC" doesn't appear.
I'm using Authelia as my provider, but I've also tried using Keycloak.
The normal authentication doesn't work either when the OIDC is enabled.
There are no errors in the logs when starting up.

Info:

Papermerge Version 3.5.1
Keycloak Version 24.0.2 and 26.2.5
Authelia 4.39.4

docker compose:
services:
  web_app:
    image: papermerge/papermerge:3.5.1
    hostname: papermerge
    networks:
      - papermerge
      - nginx-overlay
    environment:
      - UID=1000
      - GID=10000
      - PAPERMERGE__MAIN__TIMEZONE=Europe/Bucharest
      - PAPERMERGE__SECURITY__SECRET_KEY=my-secret-key
      - PAPERMERGE__AUTH__USERNAME=bender
      - PAPERMERGE__AUTH__EMAIL=bender@mail.com
      - PAPERMERGE__AUTH__PASSWORD=admin
      - PAPERMERGE__OCR__DEFAULT_LANG_CODE=ron
      - PAPERMERGE__OCR__LANG_CODES="eng,ron"
      - PAPERMERGE__DATABASE__URL=postgresql://coco:jumbo@papermerge_db:5432/pmgdb
      - PAPERMERGE__REDIS__URL=redis://papermerge_redis:6379/0
      - PAPERMERGE__MAIN__MEDIA_ROOT=/var/media/pmg   
      - PAPERMERGE__AUTH__OIDC_CLIENT_SECRET=my-secret
      - PAPERMERGE__AUTH__OIDC_CLIENT_ID=papermerge_oidc
      - PAPERMERGE__AUTH__OIDC_AUTHORIZE_URL=https://authelia.my.domain/api/oidc/authorization
      - PAPERMERGE__AUTH__OIDC_ACCESS_TOKEN_URL=https://authelia.my.domain/api/oidc/token
      - PAPERMERGE__AUTH__OIDC_INTROSPECT_URL=https://authelia.my.domain/api/oidc/introspection
      - PAPERMERGE__AUTH__OIDC_USER_INFO_URL=https://authelia.my.domain/api/oidc/userinfo
      - PAPERMERGE__AUTH__OIDC_LOGOUT_URL=https://authelia.my.domain/api/oidc/revocation
      - PAPERMERGE__AUTH__OIDC_SCOPE="openid email profile name"
      - PAPERMERGE__AUTH__OIDC_REDIRECT_URL=https://papermerge.my.domain/oidc/callback
    volumes:
      - /mnt/nas/documents/papermerge:/var/media/pmg
    depends_on:
      - db
      - redis
    deploy:
      placement:
          constraints:
          - node.hostname==docker-containers
      restart_policy:
          condition: any
          delay: 5s
          max_attempts: 3
          window: 120s

authelia client config:

client_id: 'papermerge_oidc'
        client_name: 'Papermerge'
        client_secret: '$pbkdf2-secret-digest'
        public: false
        authorization_policy: one_factor
        introspection_endpoint_auth_method: client_secret_post
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        redirect_uris:
          - https://papermerge.my.domain/oidc/callback

The only error that I see in authelia's log is when I'm trying to log in using the superuser account

{"level":"error","method":"POST","msg":"Introspection Request with id '069053c0-b2bb-45f2-944d-6554c675fb1b' failed with error: Token is inactive because it is malformed, expired or otherwise invalid. An introspection strategy indicated that the token is inactive. The request could not be authorized. Check that you provided valid credentials in the right format. Could not find the requested resource(s).","path":"/api/oidc/introspection","remote_ip":"172.18.0.1","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_oauth2_introspection.go","Line":32,"Name":"OAuth2IntrospectionPOST"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go","Line":114,"Name":"RegisterOpenIDConnectRoutes.NewHTTPToAutheliaHandlerAdaptor.func23"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":66,"Name":"RegisterOpenIDConnectRoutes.(*BridgeBuilder).Build.func2.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":105,"Name":"SecurityHeadersNoStore.func1"},{"File":"github.com/valyala/fasthttp@v1.62.0/server.go","Line":773,"Name":"(*RequestCtx).UserValue"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":30,"Name":"SecurityHeadersBase.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/cors.go","Line":216,"Name":"RegisterOpenIDConnectRoutes.(*CORSPolicy).Middleware.func24"},{"File":"github.com/fasthttp/router@v1.5.4/router.go","Line":441,"Name":"(*Router).Handler"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/log_request.go","Line":14,"Name":"handlerMain.LogRequest.func31"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/errors.go","Line":38,"Name":"RecoverPanic.func1"},{"File":"github.com/valyala/fasthttp@v1.62.0/server.go","Line":2455,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.62.0/workerpool.go","Line":225,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.62.0/workerpool.go","Line":197,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1700,"Name":"goexit"}],"time":"2025-05-31T16:54:02+03:00"}

Originally created by @AtomicDude on GitHub (May 31, 2025). Original GitHub issue: https://github.com/ciur/papermerge/issues/662 Originally assigned to: @ciur on GitHub. **Description** Hello, I've followed the instructions on setting up OIDC authentication, but no matter what I do the button "Login with OIDC" doesn't appear. I'm using Authelia as my provider, but I've also tried using Keycloak. The normal authentication doesn't work either when the OIDC is enabled. There are no errors in the logs when starting up. **Info:** - Papermerge Version 3.5.1 - Keycloak Version 24.0.2 and 26.2.5 - Authelia 4.39.4 ``` docker compose: services: web_app: image: papermerge/papermerge:3.5.1 hostname: papermerge networks: - papermerge - nginx-overlay environment: - UID=1000 - GID=10000 - PAPERMERGE__MAIN__TIMEZONE=Europe/Bucharest - PAPERMERGE__SECURITY__SECRET_KEY=my-secret-key - PAPERMERGE__AUTH__USERNAME=bender - PAPERMERGE__AUTH__EMAIL=bender@mail.com - PAPERMERGE__AUTH__PASSWORD=admin - PAPERMERGE__OCR__DEFAULT_LANG_CODE=ron - PAPERMERGE__OCR__LANG_CODES="eng,ron" - PAPERMERGE__DATABASE__URL=postgresql://coco:jumbo@papermerge_db:5432/pmgdb - PAPERMERGE__REDIS__URL=redis://papermerge_redis:6379/0 - PAPERMERGE__MAIN__MEDIA_ROOT=/var/media/pmg - PAPERMERGE__AUTH__OIDC_CLIENT_SECRET=my-secret - PAPERMERGE__AUTH__OIDC_CLIENT_ID=papermerge_oidc - PAPERMERGE__AUTH__OIDC_AUTHORIZE_URL=https://authelia.my.domain/api/oidc/authorization - PAPERMERGE__AUTH__OIDC_ACCESS_TOKEN_URL=https://authelia.my.domain/api/oidc/token - PAPERMERGE__AUTH__OIDC_INTROSPECT_URL=https://authelia.my.domain/api/oidc/introspection - PAPERMERGE__AUTH__OIDC_USER_INFO_URL=https://authelia.my.domain/api/oidc/userinfo - PAPERMERGE__AUTH__OIDC_LOGOUT_URL=https://authelia.my.domain/api/oidc/revocation - PAPERMERGE__AUTH__OIDC_SCOPE="openid email profile name" - PAPERMERGE__AUTH__OIDC_REDIRECT_URL=https://papermerge.my.domain/oidc/callback volumes: - /mnt/nas/documents/papermerge:/var/media/pmg depends_on: - db - redis deploy: placement: constraints: - node.hostname==docker-containers restart_policy: condition: any delay: 5s max_attempts: 3 window: 120s ``` authelia client config: ``` client_id: 'papermerge_oidc' client_name: 'Papermerge' client_secret: '$pbkdf2-secret-digest' public: false authorization_policy: one_factor introspection_endpoint_auth_method: client_secret_post scopes: - 'openid' - 'profile' - 'email' - 'groups' redirect_uris: - https://papermerge.my.domain/oidc/callback ``` The only error that I see in authelia's log is when I'm trying to log in using the superuser account ``` {"level":"error","method":"POST","msg":"Introspection Request with id '069053c0-b2bb-45f2-944d-6554c675fb1b' failed with error: Token is inactive because it is malformed, expired or otherwise invalid. An introspection strategy indicated that the token is inactive. The request could not be authorized. Check that you provided valid credentials in the right format. Could not find the requested resource(s).","path":"/api/oidc/introspection","remote_ip":"172.18.0.1","stack":[{"File":"github.com/authelia/authelia/v4/internal/handlers/handler_oauth2_introspection.go","Line":32,"Name":"OAuth2IntrospectionPOST"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go","Line":114,"Name":"RegisterOpenIDConnectRoutes.NewHTTPToAutheliaHandlerAdaptor.func23"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/bridge.go","Line":66,"Name":"RegisterOpenIDConnectRoutes.(*BridgeBuilder).Build.func2.1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":105,"Name":"SecurityHeadersNoStore.func1"},{"File":"github.com/valyala/fasthttp@v1.62.0/server.go","Line":773,"Name":"(*RequestCtx).UserValue"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/headers.go","Line":30,"Name":"SecurityHeadersBase.func1"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/cors.go","Line":216,"Name":"RegisterOpenIDConnectRoutes.(*CORSPolicy).Middleware.func24"},{"File":"github.com/fasthttp/router@v1.5.4/router.go","Line":441,"Name":"(*Router).Handler"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/log_request.go","Line":14,"Name":"handlerMain.LogRequest.func31"},{"File":"github.com/authelia/authelia/v4/internal/middlewares/errors.go","Line":38,"Name":"RecoverPanic.func1"},{"File":"github.com/valyala/fasthttp@v1.62.0/server.go","Line":2455,"Name":"(*Server).serveConn"},{"File":"github.com/valyala/fasthttp@v1.62.0/workerpool.go","Line":225,"Name":"(*workerPool).workerFunc"},{"File":"github.com/valyala/fasthttp@v1.62.0/workerpool.go","Line":197,"Name":"(*workerPool).getCh.func1"},{"File":"runtime/asm_amd64.s","Line":1700,"Name":"goexit"}],"time":"2025-05-31T16:54:02+03:00"} ```

kerem added the

bug

label

2026-02-25 21:32:05 +03:00

kerem commented

2026-02-25 21:32:05 +03:00

Author

Owner

@Strehk commented on GitHub (Nov 26, 2025):

Hey there, I ran into a very similar looking Issue:
Papermerge is failing to introspect tokens with the OIDC provider PocketID due to a "400 Bad Request" error. The logs indicate that PocketID is reporting "client id or secret not provided" during the introspection call, despite these values being configured in Papermerge's environment variables.

Papermerge Container ENVs (relevant OIDC configuration):

PAPERMERGE__AUTH__OIDC_CLIENT_SECRET=<cleaned_client_secret>
PAPERMERGE__AUTH__OIDC_CLIENT_ID=<cleaned_client_id>
PAPERMERGE__AUTH__OIDC_AUTHORIZE_URL=https://pocketid.<cleaned_base_url>/authorize
PAPERMERGE__AUTH__OIDC_ACCESS_TOKEN_URL=https://pocketid.<cleaned_base_url>/api/oidc/token
PAPERMERGE__AUTH__OIDC_USER_INFO_URL=https://pocketid.<cleaned_base_url>/api/oidc/userinfo
PAPERMERGE__AUTH__OIDC_LOGOUT_URL=https://pocketid.<cleaned_base_url>/api/oidc/end-session
PAPERMERGE__AUTH__OIDC_INTROSPECT_URL=https://pocketid.<cleaned_base_url>/api/oidc/introspect
PAPERMERGE__AUTH__OIDC_REDIRECT_URL=https://papermerge.<cleaned_base_url>/oidc/callback

Papermerge Container Log Excerpt:

ERROR   Exception in ASGI application
...
ValueError: response.status_code = 400 response.text = Error 400: Bad Request
The server did not understand the request
2025/11/26 21:39:55 [error] 39#39: *37 auth request unexpected status: 500 while sending to client, client: 10.0.1.4, server: _, request: "GET /users/ HTTP/1.1", host: "papermerge.<cleaned_base_url>", referrer: "https://papermerge.<cleaned_base_url>/login"

PocketID Container Log Excerpt:

Nov 26 21:40:26 WRN Request with errors: Error #01: client id or secret not provided
app=pocket-id version=1.15.0 status=400 method=POST path=/api/oidc/introspect query="token=<cleaned_token>&client_id=<cleaned_client_id>&client_secret=<cleaned_client_secret>" route=/api/oidc/introspect ip=217.94.241.34 latency=118.586µs referer="" user_agent=python-httpx/0.27.2 body_size=44

Potential Cause:
The PocketID logs clearly state "client id or secret not provided," even though the query in the log does show client_id and client_secret present. This suggests a potential issue with:

How Papermerge is sending these parameters (e.g., incorrect encoding, wrong content-type).
A mismatch in expected parameter names.
How PocketID specifically is parsing the introspection request parameters (e.g., expecting them in the request body, not the query string for a POST; very unlikely due to Authelia and Keykloak appearantly showing similar issues like in this issue)

Additional Information:
The Papermerge stack trace points to auth_server/backends/oidc.py, line 130, within the introspect_token function, confirming the issue originates from the introspection call.

@Strehk commented on GitHub (Nov 26, 2025): Hey there, I ran into a very similar looking Issue: Papermerge is failing to introspect tokens with the OIDC provider [PocketID](https://pocket-id.org/) due to a "400 Bad Request" error. The logs indicate that PocketID is reporting "client id or secret not provided" during the introspection call, despite these values being configured in Papermerge's environment variables. **Papermerge Container ENVs (relevant OIDC configuration):** ``` PAPERMERGE__AUTH__OIDC_CLIENT_SECRET=<cleaned_client_secret> PAPERMERGE__AUTH__OIDC_CLIENT_ID=<cleaned_client_id> PAPERMERGE__AUTH__OIDC_AUTHORIZE_URL=https://pocketid.<cleaned_base_url>/authorize PAPERMERGE__AUTH__OIDC_ACCESS_TOKEN_URL=https://pocketid.<cleaned_base_url>/api/oidc/token PAPERMERGE__AUTH__OIDC_USER_INFO_URL=https://pocketid.<cleaned_base_url>/api/oidc/userinfo PAPERMERGE__AUTH__OIDC_LOGOUT_URL=https://pocketid.<cleaned_base_url>/api/oidc/end-session PAPERMERGE__AUTH__OIDC_INTROSPECT_URL=https://pocketid.<cleaned_base_url>/api/oidc/introspect PAPERMERGE__AUTH__OIDC_REDIRECT_URL=https://papermerge.<cleaned_base_url>/oidc/callback ``` **Papermerge Container Log Excerpt:** ``` ERROR Exception in ASGI application ... ValueError: response.status_code = 400 response.text = Error 400: Bad Request The server did not understand the request 2025/11/26 21:39:55 [error] 39#39: *37 auth request unexpected status: 500 while sending to client, client: 10.0.1.4, server: _, request: "GET /users/ HTTP/1.1", host: "papermerge.<cleaned_base_url>", referrer: "https://papermerge.<cleaned_base_url>/login" ``` **PocketID Container Log Excerpt:** ``` Nov 26 21:40:26 WRN Request with errors: Error #01: client id or secret not provided app=pocket-id version=1.15.0 status=400 method=POST path=/api/oidc/introspect query="token=<cleaned_token>&client_id=<cleaned_client_id>&client_secret=<cleaned_client_secret>" route=/api/oidc/introspect ip=217.94.241.34 latency=118.586µs referer="" user_agent=python-httpx/0.27.2 body_size=44 ``` **Potential Cause:** The PocketID logs clearly state "client id or secret not provided," even though the `query` in the log *does* show `client_id` and `client_secret` present. This suggests a potential issue with: 1. How Papermerge is sending these parameters (e.g., incorrect encoding, wrong content-type). 2. A mismatch in expected parameter names. 3. How PocketID specifically is parsing the introspection request parameters (e.g., expecting them in the request body, not the query string for a POST; *very unlikely due to Authelia and Keykloak appearantly showing similar issues like in this issue*) **Additional Information:** The Papermerge stack trace points to `auth_server/backends/oidc.py`, line 130, within the `introspect_token` function, confirming the issue originates from the introspection call.