[Bug]: OAuth - Do not translate IssuerURL to IP-address(IPv4) - or make it optional #2725

New Issue

Closed

opened 2026-04-25 00:09:57 +02:00 by adam · 5 comments

adam commented 2026-04-25 00:09:57 +02:00

Owner

Copy Link

Copy Source

Originally created by @DaAndaDepp on GitHub (Apr 24, 2025).

What happened?

For users as myself whos ISP only provides an IPv6 connection and uses DS-lite to "tunnel" IPv4, the translation from an URL to an IPv4-address means, that we cannot connect back to a selfhosted OIDC service. Often directly accessing the IPv4-address isnt possible, because it only exists in the ISPs network. At least thats how i understand it.

What did you expect to happen?

Keeping the URL might allow connections.

Steps to reproduce the issue

1. Have only IPv6
2. Try accessing Issuer url e.g. with "Auto-populate"

Audiobookshelf version

v2.20.0

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

None

Logs

[Auth] Failed to get openid configuration at "https://mydomain.com/webman/sso/.well-known/openid-configuration" AxiosError: connect ECONNREFUSED x.x.x.x:8843 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1611:16) { port: 8843, address: 'x.x.x.x', syscall: 'connect', code: 'ECONNREFUSED', errno: -111

Additional Notes

edited out my external IP ups

Originally created by @DaAndaDepp on GitHub (Apr 24, 2025). ### What happened? For users as myself whos ISP only provides an IPv6 connection and uses DS-lite to "tunnel" IPv4, the translation from an URL to an IPv4-address means, that we cannot connect back to a selfhosted OIDC service. Often directly accessing the IPv4-address isnt possible, because it only exists in the ISPs network. At least thats how i understand it. ### What did you expect to happen? Keeping the URL might allow connections. ### Steps to reproduce the issue 1. Have only IPv6 2. Try accessing Issuer url e.g. with "Auto-populate" ### Audiobookshelf version v2.20.0 ### How are you running audiobookshelf? Docker ### What OS is your Audiobookshelf server hosted from? Linux ### If the issue is being seen in the UI, what browsers are you seeing the problem on? None ### Logs ```shell [Auth] Failed to get openid configuration at "https://mydomain.com/webman/sso/.well-known/openid-configuration" AxiosError: connect ECONNREFUSED x.x.x.x:8843 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1611:16) { port: 8843, address: 'x.x.x.x', syscall: 'connect', code: 'ECONNREFUSED', errno: -111 ``` ### Additional Notes _edited out my external IP ups_

adam added the bug label 2026-04-25 00:09:57 +02:00

adam closed this issue 2026-04-25 00:09:57 +02:00

adam commented 2026-04-25 00:09:57 +02:00

Author

Owner

Copy Link

Copy Source

@advplyr commented on GitHub (Apr 24, 2025):

I don't understand this

@advplyr commented on GitHub (Apr 24, 2025): I don't understand this

adam commented 2026-04-25 00:09:57 +02:00

Author

Owner

Copy Link

Copy Source

@DaAndaDepp commented on GitHub (Apr 25, 2025):

I dont understand it either, but what suspect in my case and mb others is:

for discovery or callback the auth.js script is translating an URL like example.com to an IPv4 address like eg. 1.1.1.1 and mb a port

in my case the resolved IPv4, if accessed doesnt connect back to my server, because the ISP doesnt "route back" direct IP queries.
My ISP is only asinging IPv6 addresse(s) to my network and a "virtual" IPv4 address - this is called DS-lite tunnel IPv4 over IPv6
no clue how this works on a technical side

I can access everything fine through URLs
I cannot access anything through an IPv4 IP

I noticed in the logs, that the URL is translated into an IPv4 address. So i asume any request is directed to an IPv4 address which isnt accessable, instead of an URL which can be resolved.

sso.my.domain.com /ssooauth/ssouserinfo/ w/e-> browser shows the response just fine
I can setup my OIDC server, the login page opens just fine. i enter my credentials, evreything is fine, but the callback fails, which according to the logs calls an IPv4 address. same for the discovery

I also tried to setup a hostname, like xyz.local which is recognized in my LAN, but that fails too. my guess is, that the node.js (yes?) implementation in auth.js cannot resolve private networks, why would it...

Sorry, I am not very experienced with this kinda stuff

@DaAndaDepp commented on GitHub (Apr 25, 2025): I dont understand it either, but what suspect in my case and mb others is: for discovery or callback the auth.js script is translating an URL like example.com to an IPv4 address like eg. 1.1.1.1 and mb a port in my case the resolved IPv4, if accessed doesnt connect back to my server, because the ISP doesnt "route back" direct IP queries. My ISP is only asinging IPv6 addresse(s) to my network and a "virtual" IPv4 address - this is called DS-lite tunnel IPv4 over IPv6 no clue how this works on a technical side I can access everything fine through URLs I cannot access anything through an IPv4 IP I noticed in the logs, that the URL is translated into an IPv4 address. So i asume any request is directed to an IPv4 address which isnt accessable, instead of an URL which can be resolved. sso.my.domain.com /ssooauth/ssouserinfo/ w/e-> browser shows the response just fine I can setup my OIDC server, the login page opens just fine. i enter my credentials, evreything is fine, but the callback fails, which according to the logs calls an IPv4 address. same for the discovery I also tried to setup a hostname, like xyz.local which is recognized in my LAN, but that fails too. my guess is, that the node.js (yes?) implementation in auth.js cannot resolve private networks, why would it... Sorry, I am not very experienced with this kinda stuff

adam commented 2026-04-25 00:09:57 +02:00

Author

Owner

Copy Link

Copy Source

@Vito0912 commented on GitHub (Apr 28, 2025):

I am not particularly experienced with OAuth, so this issue may be specific to that context. However, I would like to highlight two points:

1. Vodafone, atleast as of a few years ago when I tried, was relatively lenient in providing IPv4 addresses to customers at no additional cost. It may be worth a try to contact Vodafone directly and ask about obtaining an IPv4 address.

If that approach is unsuccessful (I am looking at you, Deutsche Glasfaser), another option is to purchase an inexpensive VPS—for instance, Ionos offers them for approximately 1€/month. You could then use a VPN solution such as WireGuard to route your traffic through the VPS and obtain IPv4 connectivity.

Addressing the root cause: a domain will generally attempt to resolve to an IPv4 address if an A record is configured. If your connection is DS-Lite only, there is little reason to set an A record in your DNS configuration. By omitting the A record, clients will be forced to resolve the domain via IPv6.

@Vito0912 commented on GitHub (Apr 28, 2025): I am not particularly experienced with OAuth, so this issue may be specific to that context. However, I would like to highlight two points: 1. Vodafone, atleast as of a few years ago when I tried, was relatively lenient in providing IPv4 addresses to customers at no additional cost. It may be worth a try to contact Vodafone directly and ask about obtaining an IPv4 address. If that approach is unsuccessful (I am looking at you, Deutsche Glasfaser), another option is to purchase an inexpensive VPS—for instance, Ionos offers them for approximately 1€/month. You could then use a VPN solution such as WireGuard to route your traffic through the VPS and obtain IPv4 connectivity. Addressing the root cause: a domain will generally attempt to resolve to an IPv4 address if an A record is configured. If your connection is DS-Lite only, there is little reason to set an A record in your DNS configuration. By omitting the A record, clients will be forced to resolve the domain via IPv6.

adam commented 2026-04-25 00:09:57 +02:00

Author

Owner

Copy Link

Copy Source

@Sapd commented on GitHub (May 16, 2025):

I noticed in the logs, that the URL is translated into an IPv4 address. So i asume any request is directed to an IPv4 address which isnt accessable, instead of an URL which can be resolved.

I do not think it is an ABS issue.

ABS itself does not save an IP. It really just saves the IssuerURL and then connects to it over a library dynamically (and the library also does not cache an IP).

What I suspect is that your docker container might not have ipv6 connectivity or something else in your stack.

@Sapd commented on GitHub (May 16, 2025): > I noticed in the logs, that the URL is translated into an IPv4 address. So i asume any request is directed to an IPv4 address which isnt accessable, instead of an URL which can be resolved. I do not think it is an ABS issue. ABS itself does not save an IP. It really just saves the IssuerURL and then connects to it over a library dynamically (and the library also does not cache an IP). What I suspect is that your docker container might not have ipv6 connectivity or something else in your stack.

adam commented 2026-04-25 00:09:58 +02:00

Author

Owner

Copy Link

Copy Source

@DaAndaDepp commented on GitHub (May 18, 2025):

thanks sugesting this, will check it out, when i got some time

@DaAndaDepp commented on GitHub (May 18, 2025): thanks sugesting this, will check it out, when i got some time

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

v2.35.1

v2.35.0

v2.34.0

v2.33.2

v2.33.1

v2.33.0

v2.32.1

v2.32.0

v2.31.0

v2.30.0

v2.29.0

v2.28.0

v2.27.0

v2.26.3

v2.26.2

v2.26.1

v2.26.0

v2.25.1

v2.25.0

v2.24.0

v2.23.0

v2.22.0

v2.21.0

v2.20.0

v2.19.5

v2.19.4

v2.19.3

v2.19.2

v2.19.1

v2.19.0

v2.18.1

v2.18.0

v2.17.7

v2.17.6

v2.17.5

v2.17.4

v2.17.3

v2.17.2

v2.17.1

v2.17.0

v2.16.2

v2.16.1

v2.16.0

v2.15.1

v2.15.0

v2.14.0

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.0

v2.10.1

v2.10.0

v2.9.0

v2.8.1

v2.8.0

v2.7.2

v2.7.1

v2.7.0

v2.6.0

v2.5.0

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.23

v2.2.22

v2.2.21

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.9

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.24

v2.0.23

v2.0.22

v2.0.21

v2.0.20

v2.0.19

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.5

v1.5.0

v1.4.11

v1.4.9

v1.4.7

v1.4.6

v1.4.4

v1.4.2

v1.4.0

v1.4.1

v1.3.4

v1.3.3

v1.3.1

v1.2.8

v1.2.6

v1.2.5

v1.2.4

v1.2.1

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.9

v1.1.8

v1.0.0

0.9.61-beta.0

0.9.61-beta

Labels

Clear labels

authentication

backlog

bug

chapter editor

config-issue

ebooks

encoding/embedding

enhancement

help wanted

listening sessions & progress

planned

possible plugin

progress sync

pull-request

Mirrored from GitHub Pull Request

sorting/filtering/searching

unable to reproduce

upload

users & permissions

waiting

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam (Adam Melkus)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/audiobookshelf#2725