401 Client Error with OpenID authentication

[mitchplze]

Hello,

First time user and I'm having issues with getting OIDC to work properly. I am using Cloudflare > Caddy > Dagu Docker, with a Pocket ID authentication backend. All TLS/SSL termination is done at the proxy, before traffic reaches Dagu (I'm using ports 8525:8080 in my Dagu compose and Caddy forwards to 8525)

Whenever I enable OIDC in Dagu, auth/authenticaton workflow works fine, and I get logged in - but the interface is broken and unusable. All sections are empty and the status page says inactive.

As soon as I switch back to basic auth, things work fine. I am using http_s_ across the board, so not sure what is happening here.

Am I missing something?

Example with basic auth (works ok):

time=2025-10-24T23:13:16.179-07:00 level=INFO msg="Server is starting" addr=0.0.0.0:8080
time=2025-10-24T23:13:19.783-07:00 level=INFO msg="GetCoordinatorStatus called"
time=2025-10-24T23:13:19.783-07:00 level=INFO msg="GetSchedulerStatus called"
2025-10-24T23:13:19.78416145-07:00 INFO Response: 200 OK service: "http" httpRequest: {url: "http://dagu.mydomain.com/api/v2/services/coordinator?remoteNode=local" method: "GET" path: "/api/v2/services/coordinator" remoteIP: "1.2.3.4" proto: "HTTP/1.1" requestID: "0f320d0c7f0f/BCqrMFZ1WQ-000002" scheme: "http" header: {sec-gpc: "1" cf-visitor: "{\"scheme\":\"https\"}" sec-fetch-dest: "empty" x-forwarded-host: "dagu.mydomain.com" x-forwarded-proto: "https" user-agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0" accept-encoding: "gzip, br" cdn-loop: "cloudflare; loops=1" cf-connecting-ip: "1.2.3.4" sec-fetch-mode: "cors" via: "2.0 Caddy" x-forwarded-for: "1.2.3.4, 108.162.246.188" accept-language: "en-CA,en-US;q=0.7,en;q=0.3" cf-ipcountry: "CA" priority: "u=4" accept: "*/*" alt-used: "dagu.mydomain.com" authorization: "***" cf-ray: "993f913dac868689-SEA" cookie: "***" referer: "https://dagu.mydomain.com/system-status" sec-fetch-site: "same-origin"}} httpResponse: {status: 200 bytes: 145 elapsed: 1.246316} 
2025-10-24T23:13:19.78489337-07:00 INFO Response: 200 OK service: "http" httpRequest: {url: "http://dagu.mydomain.com/api/v2/services/scheduler?remoteNode=local" method: "GET" path: "/api/v2/services/scheduler" remoteIP: "1.2.3.4" proto: "HTTP/1.1" requestID: "0f320d0c7f0f/BCqrMFZ1WQ-000001" scheme: "http" header: {sec-fetch-mode: "cors" sec-fetch-site: "same-origin" x-forwarded-for: "1.2.3.4, 108.162.246.188" user-agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0" accept: "*/*" alt-used: "dagu.mydomain.com" cdn-loop: "cloudflare; loops=1" cf-connecting-ip: "1.2.3.4" sec-fetch-dest: "empty" via: "2.0 Caddy" x-forwarded-host: "dagu.mydomain.com" accept-language: "en-CA,en-US;q=0.7,en;q=0.3" authorization: "***" cf-ipcountry: "CA" cookie: "***" sec-gpc: "1" x-forwarded-proto: "https" cf-v

Example with OIDC (login succeeds, but interface is broken):

time=2025-10-24T23:18:09.234-07:00 level=INFO msg="Server is starting" addr=0.0.0.0:8080
2025-10-24T23:18:11.810219534-07:00 INFO Response: 401 Client Error service: "http" httpRequest: {url: "http://dagu.mydomain.com/api/v2/services/scheduler?remoteNode=local" method: "GET" path: "/api/v2/services/scheduler" remoteIP: "1.2.3.4" proto: "HTTP/1.1" requestID: "f7560afeb828/lCweV3l4nj-000002" scheme: "http" header: {user-agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0" cf-ipcountry: "CA" cf-ray: "993f985edb628689-SEA" sec-fetch-mode: "cors" x-forwarded-for: "1.2.3.4, 108.162.246.188" accept-language: "en-CA,en-US;q=0.7,en;q=0.3" cdn-loop: "cloudflare; loops=1" cf-connecting-ip: "1.2.3.4" referer: "https://dagu.mydomain.com/system-status" sec-fetch-dest: "empty" sec-gpc: "1" x-forwarded-host: "dagu.mydomain.com" alt-used: "dagu.mydomain.com" cf-visitor: "{\"scheme\":\"https\"}" cookie: "***" priority: "u=4" sec-fetch-site: "same-origin" via: "2.0 Caddy" x-forwarded-proto: "https" accept: "*/*" accept-encoding: "gzip, br" authorization: "***"}} httpResponse: {status: 401 bytes: 0 elapsed: 0.200135} 
2025-10-24T23:18:11.810219917-07:00 INFO Response: 401 Client Error service: "http" httpRequest: {url: "http://dagu.mydomain.com/api/v2/services/coordinator?remoteNode=local" method: "GET" path: "/api/v2/services/coordinator" remoteIP: "1.2.3.4" proto: "HTTP/1.1" requestID: "f7560afeb828/lCweV3l4nj-000001" scheme: "http" header: {sec-fetch-mode: "cors" accept-encoding: "gzip, br" cf-ipcountry: "CA" cf-ray: "993f985edb638689-SEA" cookie: "***" referer: "https://dagu.mydomain.com/system-status" via: "2.0 Caddy" user-agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:144.0) Gecko/20100101 Firefox/144.0" accept-language: "en-CA,en-US;q=0.7,en;q=0.3" cdn-loop: "cloudflare; loops=1" cf-visitor: "{\"scheme\":\"https\"}" priority: "u=4" sec-gpc: "1" x-forwarded-for: "1.2.3.4, 108.162.246.188" x-forwarded-host: "dagu.mydomain.com" accept: "*/*" sec-fetch-site: "same-origin" x-forwarded-proto: "https" alt-used: "dagu.mydomain.com" authorization: "***" cf-connecting-ip: "1.2.3.4" sec-fetch-dest: "empty"}} httpResponse: {status: 401 bytes: 0 elapsed: 0.230219} 

OIDC env vars

DAGU_AUTH_OIDC_CLIENT_ID="xxx"
DAGU_AUTH_OIDC_CLIENT_SECRET="xxx"
DAGU_AUTH_OIDC_CLIENT_URL="https://dagu.mydomain.com"
DAGU_AUTH_OIDC_ISSUER="https://id.example.com"
DAGU_AUTH_OIDC_SCOPES="openid,profile,email"

[yottahmd]

Hi @mitchplze,
Thank you for your detailed issue report.

I tried reproducing the problem using Pocket ID, but it seems to be working without 401 on my end. But to understand where's the issue, I’ve added an OIDC configuration validation and detailed error messages for OIDC token check failures.

Could you please check the server logs using the latest version and share them if the issue still occurs?

[mitchplze]

Hello! Sorry for the delayed reply. It looks like it was an intermittent problem, as I cannot reproduce the issue anymore. Fantastic! Thanks for the quick reply - and keep up the great project!