[Bug]: OIDC Redirect Loop, Timeout 3500 within openid-client following successful negotiation

[mdnguy]

Important: Log Requirement for Troubleshooting

To effectively troubleshoot and resolve issues, it is crucial to provide relevant server and/or browser console logs that replicate the problem. Issues submitted without adequate logs may be difficult to diagnose and are at risk of being automatically closed.

Bug Description

I've little experience with OIDC, but I think there's a bug in the code that creates a loop that ultimately results in the timeout.

The code in these two calls seem to call each other in a loop, which I believe is triggering the timeout.

SparkyFitnessServer/openidRoutes.js:

// Handle the callback from the frontend
router.post("/callback", async (req, res, next) => {

...

    log('debug', `[OIDC Callback] Session state before callback: ${req.session.state}`);
    const tokenSet = await client.callback(
      redirectUri,
      params,
      {
        code_verifier: req.session.codeVerifier,
        state: req.session.state,
        nonce: req.session.nonce,
        response_type: 'code',
        check: {
          issuer: provider.issuer_url,
          id_token_signed_response_alg: provider.signing_algorithm
        }
      }
    );

...

SparkyFitnessFrontend/src/components/OidcCallback.tsx:

const OidcCallback: React.FC = () => {
  const [error, setError] = useState<string | null>(null);
  const location = useLocation();
  const navigate = useNavigate();
  const { signIn } = useAuth();

  useEffect(() => {

...

      try {
        const response = await apiCall('/openid/callback', {
          method: 'POST',
          body: { code, state },
        });

...

Steps to Reproduce

Steps to reproduce the behavior:

Using the 'latest' image from Docker, 0.16.1

Using Portainer running within Container Manager on Synology NAS

Using Synology Reverse Proxy, all proper headers configured

Expected Behavior

Working OIDC login

Actual Behavior

Timeout after 3500ms

Environment

• SparkyFitness Version: 0.16.1, Docker image hash: sha256:f8fb91fec8cb82810a583caf9717237d2ca7fe1c5a48df62e180f3c4267ac4bf
• Running Env: Portainer, Synology NAS

Frontend URL: https://fitness.nas.domain

OIDC redirect: https://fitness.nas.domain/oidc-callback

Authelia with Traefik is running in its own container, client config, running on https://auth.nas.domain

identity_providers:
  oidc:
    hmac_secret: ''
    jwks:
      - key: |
          -----BEGIN RSA PRIVATE KEY-----
          -----END RSA PRIVATE KEY-----
    clients:
      - client_id: 'sparkyfitness'
        client_name: 'SparkyFitness Server'
        client_secret: ''
        public: false
        authorization_policy: 'one_factor'
        token_endpoint_auth_method: 'client_secret_post'
        consent_mode: 'implicit'
        redirect_uris:
          - https://fitness.nas.domain/oidc-callback
        scopes: ['openid', 'profile', 'groups', 'email']
        userinfo_signed_response_alg: 'none'

Relevant Environment Variables (if applicable)

Please list any environment variables you have set that might be relevant to this issue (e.g., API keys, specific configuration flags). Do not share sensitive information like full API keys or passwords.

# Example:
# SPARKY_FITNESS_LOG_LEVEL=DEBUG
# NODE_ENV=development
# TZ=Etc/UTC

Preference Settings

Screenshot of your preference settings

Browser Console Log

Container Log for SparkyFitness

Please provide the container logs for the sparkyfitness service. You can usually obtain these logs using docker logs sparkyfitness or by checking your container orchestration platform's logging interface.

# Paste SparkyFitness container log here

Container Log for SparkyFitness_Server

Please provide the container logs for the sparkyfitness_server service. You can usually obtain these logs using docker logs sparkyfitness_server or by checking your container orchestration platform's logging interface.

[2025-12-27T00:41:38.805Z] [ERROR] OIDC callback error: outgoing request timed out after 3500ms
[2025-12-27T00:41:38.805Z] [ERROR] Error caught by centralized handler: outgoing request timed out after 3500ms RPError: outgoing request timed out after 3500ms
    at /app/SparkyFitnessServer/node_modules/openid-client/lib/helpers/request.js:140:13
    at async Client.grant (/app/SparkyFitnessServer/node_modules/openid-client/lib/client.js:1370:22)
    at async Client.callback (/app/SparkyFitnessServer/node_modules/openid-client/lib/client.js:520:24)
    at async /app/SparkyFitnessServer/openidRoutes.js:176:22
[2025-12-27T01:25:44.093Z] [ERROR] Error fetching OIDC discovery document from https://auth.nas.domain/.well-known/openid-configuration: TypeError: fetch is not a function
    at Object.getOidcProviderById (/app/SparkyFitnessServer/models/oidcProviderRepository.js:69:53)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async getOidcClient (/app/SparkyFitnessServer/openidRoutes.js:17:22)
    at async /app/SparkyFitnessServer/openidRoutes.js:103:27

Screenshots/Videos (Optional)

If applicable, add screenshots or a short video to help explain your problem.

Additional Context

Add any other context about the problem here.

[CodeWithCJ]

Are you unable to login using OIDC? can you share screenshot of your OIDC setup in ADMIN tab?

[mdnguy]

I cannot login using OIDC.

I have validated I can log in to Authelia itself.

I haven't tried to set up another service with Authelia as the OIDC, but that was my next step.

[CodeWithCJ]

Your issuer URL looks incomplete. it should be something like below

https://auth.domain.com/application/o/sparkyfitnessdev/.well-known/openid-configuration

[mdnguy]

This didn't change anything

Unless you're doing something specific with the URL, the OpenID Client automatically appends /.well-known/openid-configuration to the Issuer URL passed into it using Issuer.discover() which you call in getOicdClient so this change would not have fixed anything in the underlying dependency.

If you refer to my issue, the two API calls are calling each other, it looks like an infinite loop.

/oidc/callback -> /oidc-callback

`/oidc-callback -> /oidc/callback'

Due to the recommended redirect URI setting of https://fitness.nas.domain/oidc-callback

[CodeWithCJ]

https://auth.nas.domain should be accessible both inside the server container and as well as in the machine you are accessing https://fitness.nas.domain.
Can you perform curl/ping test to https://auth.nas.domain.

I don't think loop is occurring. I tested with Cloudflare, Authentic and KeyCloak.

If my suspiciosn is correct, your Server doesn't know https://auth.nas.domain. If might need to add below seciton to point to your Authelia's IP

extra_hosts:
     - "auth.rithurockstar.com:10.0.0.10"   # internal IP of Authelia OR host IP

[mdnguy]

I can hit the service from within the container, it would not have gotten as far as it did otherwise.

user@nas.domain:~$ sudo docker exec -it sparkyfitness-sparkyfitness-server-1 /bin/bash
root@6edb525cb321:/app/SparkyFitnessServer# curl https://auth.nas.domain
<!doctype html>
<html lang="en">
    <head>
        <base href="https://auth.nas.domain/" />
        <meta property="csp-nonce" content="Cwqwu0L2ZT0IeXrIFm4CoC592aqWPIx4" />
        <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        <meta name="theme-color" content="#000000" />
        <link rel="manifest" href="./manifest.json" />
        <link rel="icon" href="./favicon.ico" />
        <title></title>
      <script type="module" crossorigin src="./static/js/index.J4YSomth.js"></script>
      <link rel="stylesheet" crossorigin href="./static/css/index.ChexMFeY.css">
    </head>

    <body
        data-basepath=""
        data-duoselfenrollment="false"
        data-logooverride="false"
        data-privacypolicyurl=""
        data-privacypolicyaccept="false"
        data-passkeylogin="false"
        data-rememberme="true"
        data-resetpassword="true"
        data-resetpasswordcustomurl=""
        data-theme="light"
    >
        <noscript>You need to enable JavaScript to run this app.</noscript>
        <div id="root"></div>
    </body>
</html>
root@6edb525cb321:/app/SparkyFitnessServer#

Refer to the original log error:

[2025-12-27T00:41:38.805Z] [ERROR] OIDC callback error: outgoing request timed out after 3500ms
[2025-12-27T00:41:38.805Z] [ERROR] Error caught by centralized handler: outgoing request timed out after 3500ms RPError: outgoing request timed out after 3500ms
    at /app/SparkyFitnessServer/node_modules/openid-client/lib/helpers/request.js:140:13
    at async Client.grant (/app/SparkyFitnessServer/node_modules/openid-client/lib/client.js:1370:22)
    at async Client.callback (/app/SparkyFitnessServer/node_modules/openid-client/lib/client.js:520:24)
    at async /app/SparkyFitnessServer/openidRoutes.js:176:22
[2025-12-27T01:25:44.093Z] [ERROR] Error fetching OIDC discovery document from https://auth.nas.domain/.well-known/openid-configuration: TypeError: fetch is not a function
    at Object.getOidcProviderById (/app/SparkyFitnessServer/models/oidcProviderRepository.js:69:53)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async getOidcClient (/app/SparkyFitnessServer/openidRoutes.js:17:22)
    at async /app/SparkyFitnessServer/openidRoutes.js:103:27

The error is occurring when it calls the redirect URL, which according to your recommended settings, is https://fitness.nas.domain/oidc-callback

I could be mistaken, but based on my tracing of the code:

The request hits sparkyfitness-frontend and is handled by file OidcCallback.tsx

The front-end then calls sparkyfitness-server and the call is handled in openidRouts.js at call router.post("/callback"

This puts us back at:

    at async /app/SparkyFitnessServer/openidRoutes.js:176:22

Where the code is calling:

    // Retrieve the redirect_uri that would have been used.
    // IMPORTANT: This must match one of the URIs registered with the OIDC provider.
    // This now points to the FRONTEND callback handler.
    const redirectUri = (provider.redirect_uris && provider.redirect_uris[0]) || `${process.env.SPARKY_FITNESS_FRONTEND_URL}/oidc-callback`;

    const params = { code, state };

    log('debug', `[OIDC Callback] Session state before callback: ${req.session.state}`);
    const tokenSet = await client.callback( # THIS IS WHERE THE TIMEOUT HAPPENS, IT CALLS /oidc-callback
      redirectUri,

The only way to 'fix' this is to set the prodider's redirect URI to something other than https://fitness.nas.domain/oidc-callback which was recommended in the UI and in the commend itself above.

This is where I'm having a breakdown because I don't know what role the provider.redirectUri plays in the negotiation with an OIDC provider.

[CodeWithCJ]

Probably check in the discord. I know few mentioned it worked with Authelia for them. May be others can assist if there is any configuration issue. As I don't have Authelia, I couldn't troubleshoot further and it works with other providers fine.

[CodeWithCJ]

just checking if you find the fix or still looking for help on this?

[CodeWithCJ]

Re-open if you are stilling looking for help. Post in discord so someone with Authelia can help you.