@jdaviescoates said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?: @joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?: vaultwarden is fine because it doesn't have Cloudron SSO Yet. Vaultwarden itself does now support OIDC. Or it looks like it will shortly - So would hope for Cloudron SSO to be integrated also! Yet in this case 2FA or the 2FA of Vaultwarden does not really matter, ultimately the issue is the same: How to setup Cloudron 2FA with a cloudron-installed 2FA application. @joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?: Was discussing this with a friend yesteday and an analogy he gave me was this is like saving the password manager's password in the password manager itself This won't end well ultimately As mentioned, I get some of the security concerns of having the 2FA related application on a server requiring the same 2FA token to be usable, but there is also no denying the advantages: A central point to manage this app and related-mechanism rather than spreading thin over various servers / architecture / platform Especially on a product/service (Cloudron) that allow for user administrations, administration of the app itself and administration of the 2FA security setting on the same architecture In a limited context (single or small number of users), the resources cost related to on-boarding administering and supporting, often non or limited security-literate users, can be apprehended with a simpler concept, whatever this one might be (e.g. 2FA app of the user's choosing etc..). However, in a different scenario, where the number of user grows, SOPs make sense to be able to strike a reasonable balance between security, scalability and sustainability of the services. This is within this context that my original question fit in - chicken and egg? In the end, I would envisioned a situation where Cloudron admins have their 2FA hosted somewhere else (to mitigate security-related / lock up concerns), but end users would benefit from a 2FA Cloudron related app. Hopefully this make sense also - thank a lot for the inputs already!

Latest package as optional sso support. You have to reinstall 2FAuth and select it at installation time.

I think I could reproduce this . Sometimes, if you click login with OpenID it fails. But if you click again, it logs in.

This is especially strange since you mentioned that other apps do work, so if you run that curl command from within a webterminal into that other app, it succeeds? Just in case if this is a hairpin issue maybe, checkout https://docs.cloudron.io/troubleshooting/#hairpin-nat

I have moved the session files out of the data directory now. Maybe we should move to redis even later.

@fbartels thanks for the clarification

@LoudLemur said in 2FAuth - is a mystery...: Which Cloudron supported application could make use of 2Fauth? Any that support setting up 2FA, e.g. GitLab, probably loads of others. But it's not really the apps making use of it, it you using it to generate your 2FA codes to login to those apps.