Traefik + Pocket ID, working but redirects for every client authorization event

[adrianmace]

I have traefik working using the traefik-oidc-auth plugin. I hope to sanitise my configuration files soon and share them with you. I've noticed a behaviour that I would like to get clarification on if it's correct or not.

Frequently when I load a protected website, it will redirect to Pocket ID which, since it still has a valid login from earlier, will complete the login animation and redirect back automatically.

Do you think this is expected behaviour, or a bug in either Pocket ID or the plugin I'm using within traefik.

[adrianmace]

traefik.yaml

experimental:
  plugins:
    traefik-oidc-auth:
      moduleName: "github.com/sevensolutions/traefik-oidc-auth"
      version: "v0.6.1"
[...]
http:
  middleware:
    pocket-id:
      plugin:
        traefik-oidc-auth:
          Provider:
            Url: https://pocket-id.domain.example.com/
            ClientId: get-your-own-thanks-pls
            ClientSecret: uowvmthisisasecretgoawayAIAwbNl5dR4
            TokenValidation: IdToken
          Scopes: ["openid", "profile", "email"]
          CallbackUri: /oidc/callback

compose.pocket-id.yaml

---
services:
  pocket-id:
    image: ghcr.io/pocket-id/pocket-id:latest
    restart: unless-stopped
    environment:
      PUID: 1000
      PGID: 1000
      TZ: 'Australia/Melbourne'
      PUBLIC_APP_URL: 'https://pocket-id.domain.example.com'
      MAXMIND_LICENSE_KEY: 'eZ8zwu_xTFl0ZgetyourownpleaseY_mmk'
      CADDY_DISABLED: true  # we will front this with traefik instead
      HOST: '0.0.0.0'  # needed since frontend will try to listen on public IPv6 address and fail
      TRUST_PROXY: true  # doesn't appear to be necessary, but seems harmless and is correct per the docs when behind a reverse proxy
    volumes:
      - './volumes/pocket-id/data:/app/backend/data'
    labels:
      traefik.enable: 'true'
      traefik.http.routers.pocket-id-backend-router.entrypoints: 'https'
      traefik.http.routers.pocket-id-backend-router.rule: 'Host(`pocket-id.domain.example.com`) && (PathPrefix(`/api/`) || PathPrefix(`/.well-known/`))'
      traefik.http.routers.pocket-id-backend-router.service: 'pocket-id-backend-service'
      traefik.http.services.pocket-id-backend-service.loadbalancer.server.port: 8080
      traefik.http.routers.pocket-id-frontend-router.entrypoints: 'https'
      traefik.http.routers.pocket-id-frontend-router.rule: 'Host(`pocket-id.domain.example.com`)'
      traefik.http.routers.pocket-id-frontend-router.service: 'pocket-id-frontend-service'
      traefik.http.services.pocket-id-frontend-service.loadbalancer.server.port: 3000

Pocket ID OIDC Client Settings

compose.whoami.yaml

---
services:
  whoami:
    image: traefik/whoami
    labels:
      traefik.enable: 'true'
      traefik.http.routers.whoami-router.entrypoints: 'https'
      traefik.http.routers.whoami-router.rule: 'Host(`whoami.domain.example.com`)'
      traefik.http.routers.whoami-router.middlewares: 'pocket-id@file'
      traefik.http.routers.whoami-router.service: 'whoami-service'
      traefik.http.services.whoami-service.loadbalancer.server.port: 80

[adrianmace]

This may be related to the cookie, I notice that its Expiry is set to "Session" and SameSite is unset. By contrast, Authentik has their cookie expiry set to 1 month from today and SameSite set to Lax.

With regard to the SameSite parameter, this is useful since I want to sign in once and access all resources configured with that Middleware. I don't want to have to configure a new OIDC client / middleware for each container I am protecting.