Backoffice Login Issues - 502 error - v16

tskotniczny · September 2, 2025, 2:51pm

Context

We’re running Umbraco v16 in Kubernetes
The setup works fine in QA, but in UAT logging into the backoffice consistently fails.

The Issue

Steps to reproduce in UAT:

Go to /umbraco.
Enter valid credentials.
After login → I get a 502 error.
If I then manually change the URL to /umbraco/section/content → wait 1–2 minutes → refresh → the backoffice loads and works fine.

So login works eventually, but only after this weird workaround.

Things I Tried

Created a fresh user → same issue.
Compared OpenIddictApplications between QA and UAT (redirect URIs, logout URIs etc.) → looks consistent.
Looked at OpenIddictAuthorizations/Tokens → both environments generate valid entries.
Checked Ingress configuration and cookie options.

Has anyone seen this before?

We get a similar issue when trying to update from 16.0.0 to 16.1.1 where we are unable to log in to the backoffice with 502 error

glombek · September 2, 2025, 3:05pm

Hi Tomek,

Is it only the first login (after boot/install) or all logins?

What differs about your QA and UAT environments? Are both in K8s? Do you have different config for them? Is one behind a proxy/CDN? etc

Is there anything in the Umbraco Logs when the login fails?

tskotniczny · September 2, 2025, 3:33pm

Hi Joe,

Its happening to all logins - every time I try to log in, it shows me 502
There is nothing different - both are in the same cluster but in different namespaces.
No proxy/cdn.
We apply the same config to both

When it fails, in logs it shows as succeeded, here is the info:

Umbraco.Cms.Api.Management.Controllers.Security.BackOfficeController.Authorize (Umbraco.Cms.Api.Management)

The authorization response was successfully returned to ‘“``https://website.co.uk/umbraco/oauth_complete``”’ using the query response mode: “{ \“code\”: \”[redacted]\", \“state\”: \“zd4GbdWWrs\”,

The authorization request was successfully extracted: "{ \“redirect_uri\”: \“``https://website.co.uk/umbraco/oauth_complete\\``”, \“client_id\”: \“umbraco-back-office\”, \“response_type\”: \“code\”,

An ad hoc authorization was automatically created and associated with the ‘“umbraco-back-office”’ application: “17fa408f-7aee-4276-bcca-33c5acf9df1e”.

I’ve also set these in appsettings:
BackOfficeHost
UmbracoApplicationUrl

to the website url .e.g https://website.co.uk/

tskotniczny · September 3, 2025, 4:10pm

We have found the issue
*21349947 upstream sent too big header while reading response header from upstream”

Adding this fixed it
nginx.ingress.kubernetes.io/proxy-buffering: “on”
nginx.ingress.kubernetes.io/proxy-buffer-size: “128k” # header buffer size
nginx.ingress.kubernetes.io/proxy-buffers-number:“8” # number of buffers